Description
The AffiliateWP plugin for WordPress is vulnerable to SQL Injection via the ajax_get_affiliate_id_from_login function in all versions up to, and including, 2.28.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted database query execution via unauthenticated SQL injection
Action: Patch
AI Analysis

Impact

The vulnerability exists in the AffiliateWP WordPress plugin, specifically in the ajax_get_affiliate_id_from_login function. Improper input sanitization and lack of prepared statements allow an attacker to append arbitrary SQL to existing queries. This can result in the extraction of sensitive database records, effectively exposing confidential data and compromising the confidentiality component of security. The weakness is classified as CWE-89.

Affected Systems

All WordPress sites running AffiliateWP plugin version 2.28.2 or earlier are affected. The official CNA lists the product as AffiliateWP:AffiliateWP; no further version pinning is provided beyond the upper bound of 2.28.2.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests that active exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it from any external point without authentication by sending crafted AJAX requests to the vulnerable endpoint. Successful exploitation permits data extraction only, but at multiple database levels due to the lack of query preparation.

Generated by OpenCVE AI on April 21, 2026 at 02:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AffiliateWP to a version newer than 2.28.2.
  • Disable unauthenticated access to the ajax_get_affiliate_id_from_login endpoint, either by configuring the plugin to require authentication or by restricting the URL via web server rules.
  • Ensure the database user used by WordPress has the minimum privileges required, removing any rights that allow generic SELECT statements on sensitive tables.

Generated by OpenCVE AI on April 21, 2026 at 02:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31707 The AffiliateWP plugin for WordPress is vulnerable to SQL Injection via the ajax_get_affiliate_id_from_login function in all versions up to, and including, 2.28.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Thu, 02 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Affiliatewp
Affiliatewp affiliatewp
Wordpress
Wordpress wordpress
Vendors & Products Affiliatewp
Affiliatewp affiliatewp
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description The AffiliateWP plugin for WordPress is vulnerable to SQL Injection via the ajax_get_affiliate_id_from_login function in all versions up to, and including, 2.28.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title AffiliateWP <= 2.28.2 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Affiliatewp Affiliatewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:16.465Z

Reserved: 2025-08-11T20:44:29.267Z

Link: CVE-2025-8877

cve-icon Vulnrichment

Updated: 2025-09-30T15:44:54.805Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:46.857

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses