CVE-2026-7330 - Vulnerability Details

Description

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.

Published: 2026-05-08

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Auto Affiliate Links plugin for WordPress contains a stored XSS flaw in versions up to and including 6.8.8. Unauthenticated attackers can submit arbitrary JavaScript through the 'url' POST parameter, which is later echoed into the admin statistics page without any output escaping. This flaw allows a malicious script to execute in the browser of any administrator who views the affected page, potentially leading to session hijacking, credential theft, or other malicious actions performed under the administrator’s authority.

Affected Systems

The vulnerability affects thedark's Auto Affiliate Links plugin for WordPress, specifically all releases dated 6.8.8 or earlier. WordPress sites running any of those releases are at risk. No other vendors or products are impacted according to the CNA record.

Risk and Exploitability

The CVSS score of 7.2 categorizes this flaw as high severity, and the EPSS score is not available, indicating no published data on exploitation frequency. The flaw is not listed in CISA’s KEV catalog. Attackers can exploit it through a publicly exposed AJAX endpoint that requires no authentication, making the attack vector remote and easy to reach. By injecting script into the stored link value, an attacker can run arbitrary code in the administrator’s browser whenever the statistics page is accessed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thedark

Auto Affiliate Links

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.8.8

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Auto Affiliate Links plugin to the latest available version that removes the XSS vulnerability.
If upgrading is not immediately possible, deactivate or uninstall the plugin to eliminate the attack surface.
As a temporary measure, delete all existing statistics entries or sanitize the stored 'url' values to prevent stored malicious content from being rendered.

Generated by OpenCVE AI on May 8, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0016.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L225
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L278
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L304
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L225
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L278
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L304
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L225
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L278
https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L304
https://plugins.trac.wordpress.org/changeset/3519003/wp-auto-affiliate-links/trunk/aal_stats.php
https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-auto-affiliate-links/tags/6.8.8&new_path=%2Fwp-auto-affiliate-links/tags/6.8.8.1
https://www.wordfence.com/threat-intel/vulnerabilities/id/6c8ed84e-3504-42e3-821d-794198d7adda?source=cve

History

Fri, 08 May 2026 09:00:00 +0000

Type	Values Removed	Values Added
Description		The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
Title		Auto Affiliate Links <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting via 'url' Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L304 https://plugins.trac.wordpress.org/changeset/3519003/wp-auto-affiliate-links/trunk/aal_stats.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-auto-affiliate-links/tags/6.8.8&new_path=%2Fwp-auto-affiliate-links/tags/6.8.8.1 https://www.wordfence.com/threat-intel/vulnerabilities/id/6c8ed84e-3504-42e3-821d-794198d7adda?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-08T08:26:33.373Z

Updated: 2026-05-08T08:26:33.373Z

Reserved: 2026-04-28T18:53:39.258Z

Link: CVE-2026-7330

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T09:16:10.100

Modified: 2026-05-08T09:16:10.100

Link: CVE-2026-7330

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T10:30:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object