{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/auto-affiliate-links-plugin--6.8.8/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7330"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Auto Affiliate Links plugin \u003c= 6.8.8"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Auto Affiliate Links plugin, a WordPress plugin, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 6.8.8. The vulnerability stems from a lack of proper input sanitization within the \u003ccode\u003eaal_url_stats_save_action()\u003c/code\u003e function when handling the \u0026lsquo;url\u0026rsquo; POST parameter. Additionally, there is a complete absence of output escaping in the \u003ccode\u003eaal_display_clicks()\u003c/code\u003e function, where user-supplied input is directly echoed into an anchor element\u0026rsquo;s \u003ccode\u003ehref\u003c/code\u003e attribute and inner text without applying \u003ccode\u003eesc_url()\u003c/code\u003e, \u003ccode\u003eesc_attr()\u003c/code\u003e, or \u003ccode\u003eesc_html()\u003c/code\u003e. Attackers can exploit this vulnerability without authentication by injecting malicious web scripts into the admin statistics page using a publicly exposed nonce and an unauthenticated AJAX endpoint registered through the \u003ccode\u003ewp_ajax_nopriv_\u003c/code\u003e hook. Successful exploitation results in the execution of arbitrary web scripts within an administrator\u0026rsquo;s browser upon visiting the affected page.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP POST request to the WordPress site\u0026rsquo;s AJAX endpoint (\u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eaal_url_stats_save_action\u003c/code\u003e and a \u003ccode\u003eurl\u003c/code\u003e parameter containing the XSS payload.\u003c/li\u003e\n\u003cli\u003eWordPress processes the AJAX request, invoking the \u003ccode\u003eaal_url_stats_save_action()\u003c/code\u003e function within the Auto Affiliate Links plugin.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eaal_url_stats_save_action()\u003c/code\u003e function fails to properly sanitize the \u003ccode\u003eurl\u003c/code\u003e parameter, allowing the XSS payload to be stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eAn administrator visits the admin statistics page, which calls the \u003ccode\u003eaal_display_clicks()\u003c/code\u003e function to display the stored URLs.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eaal_display_clicks()\u003c/code\u003e function retrieves the unsanitized URL containing the XSS payload from the database.\u003c/li\u003e\n\u003cli\u003eThe XSS payload is echoed directly into the \u003ccode\u003ehref\u003c/code\u003e attribute and inner text of an anchor element without proper escaping via \u003ccode\u003eesc_url()\u003c/code\u003e, \u003ccode\u003eesc_attr()\u003c/code\u003e, or \u003ccode\u003eesc_html()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s browser executes the injected XSS payload, potentially leading to account compromise or further malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability can allow an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator\u0026rsquo;s browser. This could lead to a variety of malicious activities, including account takeover, defacement of the WordPress site, or redirection of users to malicious websites. Given the lack of authentication required for the initial injection, the vulnerability poses a significant risk to websites using the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Auto Affiliate Links plugin to the latest version, which includes a fix for CVE-2026-7330.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Auto Affiliate Links Plugin XSS Attempt\u0026rdquo; to identify potential exploitation attempts by monitoring POST requests with suspicious characters in the \u003ccode\u003eurl\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement proper input sanitization and output escaping techniques in all WordPress plugins to prevent similar XSS vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T09:16:10Z","date_published":"2026-05-08T09:16:10Z","id":"/briefs/2026-05-wordpress-xss/","summary":"The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 6.8.8 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into the admin statistics page.","title":"WordPress Auto Affiliate Links Plugin Stored XSS Vulnerability (CVE-2026-7330)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Auto Affiliate Links Plugin \u003c= 6.8.8","version":"https://jsonfeed.org/version/1.1"}