CVE-2026-7330
Received Received - Intake
Stored XSS in Auto Affiliate Links WordPress Plugin

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: Wordfence

Description
The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-7330
EUVD
EUVD-2026-28540
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress auto_affiliate_links to 6.8.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Auto Affiliate Links plugin for WordPress versions up to and including 6.8.8 has a Stored Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize the 'url' POST parameter in the aal_url_stats_save_action() function. Additionally, it fails to escape output in the aal_display_clicks() function, where the stored value is directly inserted into an anchor element's href attribute and inner text without using proper escaping functions like esc_url(), esc_attr(), or esc_html().

As a result, unauthenticated attackers can inject malicious web scripts into the admin statistics page. These scripts execute in the browser of an administrator when they visit the page. The attack leverages a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.

Impact Analysis

This vulnerability can allow unauthenticated attackers to execute arbitrary scripts in the context of an administrator's browser. This can lead to several impacts including theft of administrator credentials, unauthorized actions performed with administrator privileges, and potential compromise of the WordPress site.

Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into the admin statistics page, which execute in an administrator's browser. This can lead to unauthorized access or manipulation of sensitive data within the WordPress environment.

Such unauthorized access and potential data manipulation could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly detail the direct compliance implications or specific regulatory impacts of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart