cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forwp-auto-affiliate-links wp-auto-affiliate-links

Direction: ascending
Jun 07, 2024

Auto Affiliate Links # 32a7cdf6fa345f0043ffab261989233ee8db7233

CVE, Research URL

32a7cdf6fa345f0043ffab261989233ee8db7233

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
Jul 15, 2015
Research Description
Auto Affiliate Links [wp-auto-affiliate-links] < 5.0 WordPress Auto Affiliate Links Plugin <= 4.9.9.4 - Blind SQL Injection Because of this vulnerability, authenticated users can execute arbitrary SQL commands. Update the plugin.
Affected versions
max 5.0.
Status
vulnerable

Auto Affiliate Links # CVE-2023-25973

CVE, Research URL

CVE-2023-25973

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
Mar 13, 2023
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links plugin <= 6.3.0.2 versions.
Affected versions
max 5.0.
Status
vulnerable

Auto Affiliate Links # CVE-2024-1843

CVE, Research URL

CVE-2024-1843

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
Mar 13, 2024
Research Description
The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or higher, to add arbitrary links to posts.
Affected versions
max 6.4.2.6.
Status
vulnerable

Auto Affiliate Links # CVE-2024-34386

CVE, Research URL

CVE-2024-34386

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
May 07, 2024
Research Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lucian Apostol Auto Affiliate Links.This issue affects Auto Affiliate Links: from n/a through 6.4.3.1.
Affected versions
max 6.4.2.8.
Status
vulnerable

Auto Affiliate Links # CVE-2023-22689

CVE, Research URL

CVE-2023-22689

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
May 21, 2023
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links plugin <= 6.3 versions.
Affected versions
max 6.3.0.1.
Status
vulnerable

Auto Affiliate Links # CVE-2023-47652

CVE, Research URL

CVE-2023-47652

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
Nov 13, 2023
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links allows Stored XSS.This issue affects Auto Affiliate Links: from n/a through 6.4.2.4.
Affected versions
max 6.4.2.5.
Status
vulnerable
Jun 10, 2024

Auto Affiliate Links # CVE-2022-45840

CVE, Research URL

CVE-2022-45840

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
Dec 13, 2024
Research Description
Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Affiliate Links: from n/a through 6.2.1.5.
Affected versions
max 6.2.1.6.
Status
vulnerable
May 19, 2025

Auto Affiliate Links # CVE-2024-9838

CVE, Research URL

CVE-2024-9838

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
May 16, 2025
Research Description
The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
Affected versions
max 6.4.7.
Status
vulnerable
May 10, 2026

Auto Affiliate Links # CVE-2026-7330

CVE, Research URL

CVE-2026-7330

Home page URL

Security reports for Auto Affiliate Links

Application

Auto Affiliate Links

Date
May 08, 2026
Research Description
The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
Affected versions
max 6.8.8.1.
Status
vulnerable