WordPress Auto Affiliate Links Plugin <= 6.3.0.2 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Auto Affiliate Links plugin by Lucian Apostol, affecting versions up to and including 6.3.0.2 [1]. The plugin fails to implement proper CSRF tokens on administrative actions, making it possible for a crafted web page to trigger requests that modify plugin settings or perform other privileged operations [1].

Exploitation

An attacker must trick an authenticated administrator into visiting a malicious page or clicking a crafted link while the admin is logged into the WordPress admin area. No special network position is required beyond the ability to host a malicious HTML page or inject a script into a trusted site (e.g., via another vulnerability) [1]. The attacker can forge requests to any vulnerable endpoint within the plugin's admin interface, and the browser will automatically include the admin's session cookies.

Impact

Successful exploitation allows the attacker to execute unauthorized actions with the victim's privilege level, such as changing affiliate links, modifying keyword mappings, altering plugin settings, or adding/deleting links [1]. This can lead to redirection of traffic to attacker-controlled affiliate accounts, disclosure of sensitive configuration data, or persistent defacement of the site's content. The integrity and availability of the site's affiliate marketing functionality are compromised without direct interaction with the plugin's forms [1].

Mitigation

Users should update to version 6.8.8.3 or later, which contains a fix for the CSRF issue [1]. As of the publication date (March 13, 2023), no workaround has been provided, but applying the latest plugin update from the WordPress plugin repository resolves the vulnerability [1]. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.