CVE-2026-7330
Stored XSS in Auto Affiliate Links WordPress Plugin
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | auto_affiliate_links | to 6.8.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Auto Affiliate Links plugin for WordPress versions up to and including 6.8.8 has a Stored Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize the 'url' POST parameter in the aal_url_stats_save_action() function. Additionally, it fails to escape output in the aal_display_clicks() function, where the stored value is directly inserted into an anchor element's href attribute and inner text without using proper escaping functions like esc_url(), esc_attr(), or esc_html().
As a result, unauthenticated attackers can inject malicious web scripts into the admin statistics page. These scripts execute in the browser of an administrator when they visit the page. The attack leverages a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary scripts in the context of an administrator's browser. This can lead to several impacts including theft of administrator credentials, unauthorized actions performed with administrator privileges, and potential compromise of the WordPress site.