Auto Amazon Links – Amazon Associates Affiliate Plugin, CVE-2025-11451
- CVE, Research URL
- Published on
- Nov 11, 2025
- Research Description
- The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
- Affected versions
-
max 5.4.3.
- Status
-
vulnerable