CVE-2025-67537

Vulnerability

Overview

The ThirstyAffiliates plugin for WordPress (versions up to and including 3.11.8) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an authenticated attacker with contributor-level privileges to inject arbitrary JavaScript or HTML payloads that are stored on the server and executed in the browsers of visitors accessing the compromised pages.

Exploitation

Details

To exploit this vulnerability, an attacker must first obtain a WordPress user account with at least the Contributor role. The attacker then crafts a malicious payload and submits it through the plugin's input fields (e.g., affiliate link descriptions or titles). The payload is stored in the database and rendered without proper sanitization when the page is loaded by any visitor [1]. No additional user interaction is required for the stored script to execute on the victim's browser.

Impact

Successful exploitation enables the attacker to perform a range of malicious actions within the context of the victim's session, including redirecting users to phishing sites, injecting advertisements, stealing session cookies, or defacing the website [1]. Because the script executes for every visitor, the attack can affect a large number of users and damage the site's reputation.

Mitigation

The vendor has released version 3.11.9 which resolves the vulnerability by properly sanitizing and escaping user input [1]. Users are strongly advised to update immediately. For sites that cannot be updated immediately, disabling the plugin or restricting contributor-level access may reduce risk, but updating risk, but the plugin is the only complete fix.