WordPress Plugin Vulnerabilities

Auto Affiliate Links < 6.4.3.1 - Missing Authorization via aalAddLink

Description

The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or higher, to add arbitrary links to posts.

Affects Plugins

Plugin icon
wp-auto-affiliate-links
Fixed in 6.4.3.1

References

CVE
CVE-2024-1843
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/09e5aa34-ab28-4349-ac5f-6a0479e641e5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
8a7ba432-78b7-4534-85c7-0620aa83822f

Timeline

Publicly Published
2024-03-11 (about 2 years ago)
Added
2024-03-11 (about 2 years ago)
Last Updated
2024-03-11 (about 2 years ago)

Other

Published
Title
Published
2025-08-14
Title
WooCommerce OTP Login With Phone Number, OTP Verification < 1.8.48 - Authentication Bypass
Published
2025-12-04
Title
EPROLO Dropshipping < 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification
Published
2025-05-20
Title
Splitit < 4.2.9 - Missing Authorization to Multiple Administrative Actions
Published
2023-10-27
Title
Post Meta Data Manager < 1.2.1 - Unauthenticated Data Deletion
Published
2025-12-10
Title
Knowband Mobile App Builder for wooCommerce < 3.0.0 – Unauthenticated Arbitrary User Deletion