CVE-2026-7330
Received Received - Intake
Stored XSS in Auto Affiliate Links WordPress Plugin

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: Wordfence

Description
The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-29
AI Q&A
2026-05-08
EPSS Evaluated
2026-05-28
NVD
CVE-2026-7330
EUVD
EUVD-2026-28540
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress auto_affiliate_links to 6.8.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Auto Affiliate Links plugin for WordPress versions up to and including 6.8.8 has a Stored Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize the 'url' POST parameter in the aal_url_stats_save_action() function. Additionally, it fails to escape output in the aal_display_clicks() function, where the stored value is directly inserted into an anchor element's href attribute and inner text without using proper escaping functions like esc_url(), esc_attr(), or esc_html().

As a result, unauthenticated attackers can inject malicious web scripts into the admin statistics page. These scripts execute in the browser of an administrator when they visit the page. The attack leverages a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.


How can this vulnerability impact me? :

This vulnerability can allow unauthenticated attackers to execute arbitrary scripts in the context of an administrator's browser. This can lead to several impacts including theft of administrator credentials, unauthorized actions performed with administrator privileges, and potential compromise of the WordPress site.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into the admin statistics page, which execute in an administrator's browser. This can lead to unauthorized access or manipulation of sensitive data within the WordPress environment.

Such unauthorized access and potential data manipulation could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly detail the direct compliance implications or specific regulatory impacts of this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart