ThirstyAffiliates WordPress Plugin Vulnerabilities

ThirstyAffiliates WordPress Plugin Vulnerabilities

The US Nationwide Vulnerability Database (NVD) introduced that the Thirsty Affiliate Hyperlink Supervisor WordPress plugin has two vulnerabilities that may permit a hacker to inject hyperlinks. Moreover the plugin lacks Cross-Website Request Forgery checking which may lead to an entire compromise of the sufferer’s web site.

ThirstyAffiliates Hyperlink Supervisor Plugin

The ThirstyAffiliates Hyperlink Supervisor WordPress plugin presents affiliate hyperlink administration instruments. Affiliate hyperlinks are consistently altering and as soon as a hyperlink goes stale the affiliate will not earn cash from that hyperlink.

The WordPress affiliate hyperlink administration plugin solves this drawback by offering a strategy to handle affiliate hyperlinks from a single space within the WordPress administrator panel, which makes it straightforward to vary the vacation spot URLs throughout your complete website by altering one hyperlink.

The instrument permits a approach so as to add affiliate hyperlinks throughout the content material because the content material is written.

ThirstyAffiliate Hyperlink Supervisor WordPress Plugin Vulnerabilities

The US Nationwide Vulnerability Database (NVD) described two vulnerabilities that permit any logged-in consumer, together with customers on the subscriber degree, to create affiliate hyperlinks and likewise to add pictures with hyperlinks that may direct customers who click on on the hyperlinks to any web site.

The NVD describes the vulnerabilities:


“The ThirstyAffiliates Affiliate Hyperlink Supervisor WordPress plugin earlier than 3.10.5 doesn’t have authorisation and CSRF checks when creating affiliate hyperlinks, which might permit any authenticated consumer, equivalent to subscriber to create arbitrary affiliate hyperlinks, which might then be used to redirect customers to an arbitrary web site.”


“The ThirstyAffiliates Affiliate Hyperlink Supervisor WordPress plugin earlier than 3.10.5 lacks authorization checks within the ta_insert_external_image motion, permitting a low-privilege consumer (with a task as little as Subscriber) so as to add a picture from an exterior URL to an affiliate hyperlink.

Additional the plugin lacks csrf checks, permitting an attacker to trick a logged in consumer to carry out the motion by crafting a particular request.”

Cross-Website Request Forgery

A Cross-Website Request Forgery assault is one which causes a logged-in consumer to execute an arbitrary command on an internet site by the browser that the positioning customer is utilizing.

In an internet site that’s missing CSRF checks, the web site can not inform the distinction between a browser displaying cookie credentials of a logged-in consumer and a cast authenticated request (authenticated means logged-in).

If the logged-in consumer has administrator-level entry then the assault can result in a complete website takeover as a result of your complete web site is compromised.

Updating ThirstyAffiliates hyperlink Supervisor Plugin is Really helpful

The ThirstyAffiliates plugin has issued a patch for the 2 vulnerabilities. It could be prudent to replace to the most secure model of the plugin, 3.10.5.


Learn the Official NVD Vulnerability Warnings

CVE-2022-0634 Detail

CVE-2022-0398 Detail

Learn the WP Scan Vulnerability Particulars and Evaluation the Proof of Ideas

ThirstyAffiliates Affiliate Link Manager < 3.10.5 – Subscriber+ Arbitrary Affiliate Links Creation

ThirstyAffiliates < 3.10.5 – Subscriber+ unauthorized image upload + CSRF

Source link

Leave A Comment



Our purpose is to build solutions that remove barriers preventing people from doing their best work.

Giza – 6Th Of October
(Sunday- Thursday)
(10am - 06 pm)

No products in the cart.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the compare bar