Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution

Vulnerability

The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to and including 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. The plugin processes user-supplied shortcodes without proper sanitization or access control, as seen in the code where shortcode parsing occurs in comments [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by submitting a comment on a WordPress site running the vulnerable plugin with the 'Parse comments' option enabled. The attacker simply includes a malicious shortcode in the comment text; when the comment is parsed, the shortcode is executed. No authentication or special network position is required, only that WordPress comments are open and the plugin's parsing feature is active.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary shortcodes within the WordPress environment. Depending on available shortcodes, this can lead to various outcomes including arbitrary file writes, remote code execution, or sensitive information disclosure. The attacker can effectively run any WordPress shortcode, which may include built-in or plugin-defined shortcodes with capabilities beyond intended boundaries.

Mitigation

The vendor has released version 1.10.2 as of 2026-05-06, which presumably includes a fix for this vulnerability [2]. Users should update to the latest version immediately. If unable to update, disabling the 'Parse comments' option in the plugin settings can mitigate the risk. No known KEV listing exists as of publication.