The Amazon affiliate lite Plugin for WordPress has a missing or incorrectly implemented nonce check in the ADAL_settings_page function, creating a CSRF flaw. An attacker can send a forged request that an authenticated site administrator unknowingly submits, allowing the attacker to alter the plugin’s configuration. This impacts the integrity of the site’s affiliate settings, potentially redirecting traffic or changing commission parameters. The elevation of privileges is limited to plugin configuration, but changes can affect revenue and user experience.

WordPress sites running the Amazon affiliate lite Plugin version 1.0.0 or earlier are vulnerable. The vendor is nestornoe, and the product is the Amazon affiliate lite Plugin. No specific product line or OS is mentioned; the issue is confined to the plugin code under the indicated versions.

With a CVSS score of 5.4, the vulnerability is considered moderate. The EPSS < 1% suggests a low probability of real world exploitation, and it is not listed in CISA’s KEV catalog. The likely attack vector is a phishing or social‑engineering attack that lures a site administrator to click a malicious link, as no authentication is required. The flaw requires a user with administrative privileges to be tricked into executing a request. Consequently, the risk is limited to sites that still run the vulnerable plugin version and have active admins who could be compromised.