What the vulnerability does
01Description
The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
Explanation of Vulnerability in Simple Terms
02Summary
Auto Affiliate Links versions 6.8.8 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into the site without authentication. The vulnerability affects the scope beyond the vulnerable component, potentially impacting other parts of the site. Site administrators should update to a version newer than 6.8.8 to remediate this issue.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that executes in visitors' browsers and affects other site functionality.
Potential impact on your site
04Site Impact
Visitors' browsers may execute attacker-controlled scripts, risking credential theft, malware distribution, or site defacement.
Conditions required to exploit
05Prerequisites
No authentication or user interaction required; attacker can exploit this remotely over the network.
Key dates
06Disclosure timeline
May 8, 2026
CVE published
May 8, 2026
Record updated