CVE-2026-7330 HIGH

CVE-2026-7330: Auto Affiliate Links <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting via 'url' Parameter

Vendor Thedark
Product Auto Affiliate Links
Weakness CWE-79 · XSS
Published May 8, 2026
Last update May 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.

Explanation of Vulnerability in Simple Terms

02Summary

Auto Affiliate Links versions 6.8.8 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into the site without authentication. The vulnerability affects the scope beyond the vulnerable component, potentially impacting other parts of the site. Site administrators should update to a version newer than 6.8.8 to remediate this issue.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that executes in visitors' browsers and affects other site functionality.

Potential impact on your site

04Site Impact

Visitors' browsers may execute attacker-controlled scripts, risking credential theft, malware distribution, or site defacement.

Conditions required to exploit

05Prerequisites

No authentication or user interaction required; attacker can exploit this remotely over the network.

Key dates

06Disclosure timeline

May 8, 2026 CVE published
May 8, 2026 Record updated