Friday, July 3, 2026

ThirstyAffiliates WordPress Plugin Vulnerability


The National Vulnerability Database (NVD) announced that the Thirsty Affiliate Link Manager WordPress plugin has two vulnerabilities that could allow hackers to inject links. Additionally, the plugin lacks cross-site request forgery checks, which could lead to a complete compromise of the victim’s website.

ThirstyAffiliates Link Manager Plugin

ThirstyAffiliates Link Manager WordPress plugin provides affiliate link management tools. Affiliate links are constantly changing, and once a link expires, the affiliate link will no longer make money from that link.

The WordPress affiliate link management plugin solves this problem by providing a way to manage affiliate links from a single area in the WordPress admin panel, making it easy to change the destination URL for the entire site by changing one link.

The tool allows adding affiliate links to content as it is being written.

ThirstyAffiliate Link Manager WordPress Plugin Vulnerability

The National Vulnerability Database (NVD) describes two vulnerabilities that allow any logged-in user (including subscriber-level users) to create affiliate links and upload images with links that can direct users who click the link to any website .

NVD describes Vulnerability:

CVE-2022-0398

“The ThirstyAffiliates Affiliate Link Manager WordPress plugin prior to 3.10.5 does not have authorization and CSRF checks when creating affiliate links, which could allow any authenticated user (such as a subscriber) to create arbitrary affiliate links, which can then be used to redirect users to Any website.”

CVE-2022-0634

“The ThirstyAffiliates Affiliate Link Manager WordPress plugin prior to 3.10.5 lacked an authorization check in the ta_insert_external_image action, allowing low-privilege users (with roles down to Subscriber) to add images from external URLs to affiliate links.

Additionally, the plugin lacks csrf checks, allowing an attacker to trick a logged in user into performing an action by crafting a special request. “

Cross-Site Request Forgery

A cross-site request forgery attack is an attack that causes a logged-in user to execute arbitrary commands on a website through the browsers used by site visitors.

In a website that lacks CSRF checking, the website cannot tell the difference between a browser showing the logged in user’s cookie credentials and a fake authenticated request (authenticated means logged in).

If the logged in user has admin-level access, the attack could result in an entire website being taken over as the entire website is compromised.

Recommended to update ThirstyAffiliates link manager plugin

The ThirstyAffiliates plugin has released patches for both vulnerabilities. It may be prudent to update to the safest plugin version 3.10.5.

Citation

Read the official NVD vulnerability warning

CVE-2022-0634 Details

CVE-2022-0398 Details

Read the WP Scan vulnerability details and view the proof of concept

ThirstyAffiliates Affiliate Link Manager < 3.10.5 – Subscribers + Any Affiliate Link Creation

ThirstyAffiliates < 3.10.5 – Subscribers + Unauthorized Image Uploads + CSRF





Source link

Related articles

Most Popular Baby Names 2024: Top Picks

Join us as we explore the captivating world of the most popular baby names for 2024! Which name will you choose...

Most Popular Baby Names 2024: Top Picks

Join us as we explore the captivating world of the most popular baby names for 2024! Which name will you choose...

How to Settle a Colic Baby: Proven Tips

Eager to discover effective ways to calm your colicky baby? From soothing techniques to critical consultation cues, let's explore what...

What Is Colic in Babies: Key Facts Revealed

Understanding what colic in babies truly entails can be a challenge for many parents. As the evening wears on, and the baby's cries reach a crescendo, an urgent question looms in the air: what now?

The 7 Best Ways to Gain Popularity

Online searches are often not the starting point...
spot_imgspot_img