Tag
The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution (CVE-2026-6169) due to the use of the BladeOne templating engine's runString() method, which allows authenticated attackers with Editor-level access or higher to execute arbitrary PHP code by injecting it into a plugin template.