CVE-2025-11451 HIGH

CVE-2025-11451: Auto Amazon Links – Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read

Vendor Miunosoft
Product Auto Amazon Links – Amazon Associates Affiliate Plugin
Weakness CWE-73
Published November 11, 2025
Last update April 8, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Explanation of Vulnerability in Simple Terms

02Summary

Auto Amazon Links versions 5.4.3 and earlier contain an external entity injection vulnerability that allows unauthenticated attackers to read sensitive files from the server. The vulnerability exists in how the plugin processes XML input without proper validation. An attacker can exploit this remotely without user interaction to access configuration files, database credentials, and other confidential data stored on the server.

What an attacker can do

03Attacker Capabilities

Read sensitive files from the server, including configuration files and credentials.

Potential impact on your site

04Site Impact

Attackers can access your site's configuration files, database credentials, and other sensitive data without logging in.

Conditions required to exploit

05Prerequisites

None. The attacker needs only network access to the vulnerable plugin.

Key dates

06Disclosure timeline

November 11, 2025 CVE published
April 8, 2026 Record updated