Description
The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template.
Published: 2026-05-27
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Affiliate‑Toolkit for WordPress can execute arbitrary PHP when an authenticated user with Editor or higher privileges edits a template. The BladeOne method runString() compiles the supplied template into PHP and evaluates it with eval() without sanitizing or sandboxing input. An attacker can inject PHP into a template and have it run on the server, enabling full remote code execution, data exfiltration, or further compromise of the WordPress installation.

Affected Systems

This flaw exists in all versions of the cservit Affiliate‑Toolkit plugin up to and including 3.8.5, which provides a multi‑network affiliate and Amazon product display framework for WordPress sites. Users running any of these versions are vulnerable; newer releases beyond 3.8.5 are not affected.

Risk and Exploitability

The CVSS score of 7.2 indicates a high‑risk vulnerability. Because it requires authenticated access, attackers must gain or exploit user credentials with Editor or higher roles, but the code is executed remotely via the site interface. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so current exploit prevalence is unknown. Nonetheless, the lack of sanitization in a widely used plugin makes exploitation relatively straightforward once an authenticated user can edit templates.

Generated by OpenCVE AI on May 27, 2026 at 10:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the ability to edit plugin templates to the Administrator role only, removing Editor or higher users from that capability until a patch is available.
  • If possible, modify the plugin’s runString() function to disable eval or switch to a safe rendering technique that does not execute arbitrary PHP, thereby preventing code injection through template editing.
  • Check for vendor updates or advisories and apply any new versions as soon as a fix is released.

Generated by OpenCVE AI on May 27, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template.
Title affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:29:14.374Z

Reserved: 2026-04-12T20:50:35.583Z

Link: CVE-2026-6169

cve-icon Vulnrichment

Updated: 2026-05-27T10:29:09.328Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T08:16:44.810

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-6169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:15:30Z

Weaknesses