WordPress Affiliate Super Assistent Plugin <= 1.5.1 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Affiliate Super Assistent plugin (amazonsimpleadmin) for WordPress, affecting versions up to and including 1.5.1 [1]. The plugin fails to implement proper CSRF tokens or other validation mechanisms on sensitive actions, allowing an attacker to trick an authenticated administrator into unknowingly executing malicious requests.

Exploitation

An attacker must craft a malicious link or form that, when visited by a logged-in WordPress administrator with the plugin active, triggers an unintended action such as changing plugin settings or performing administrative operations. No authentication is required for the attacker beyond the victim's session; the victim must be logged in and interact with the crafted request (e.g., clicking a link or submitting a form).

Impact

Successful exploitation enables an attacker to perform any action that the victim administrator can perform within the plugin's settings, potentially leading to unauthorized modification of affiliate configurations, insertion of malicious shortcodes, or other changes that could compromise the site's integrity or redirect affiliate earnings.

Mitigation

The vendor has released version 1.10.2 of the plugin, which likely includes a fix for this vulnerability [1]. Users should update to the latest version immediately. No workaround is documented in the available references.