CVE-2025-8877

The AffiliateWP plugin for WordPress contains a SQL injection vulnerability in the ajax_get_affiliate_id_from_login function. The flaw is due to insufficient escaping of user-supplied parameters and lack of prepared statements in the SQL query, allowing an attacker to inject arbitrary SQL.

An unauthenticated attacker can exploit this by sending a crafted request to the vulnerable AJAX endpoint. No authentication or special privileges are required; the attacker only needs network access to the WordPress site. The injection occurs because the function does not properly sanitize the input before incorporating it into the query.

Successful exploitation enables the attacker to append additional SQL queries to the existing one. This can be used to extract sensitive information from the database, such as user credentials, session tokens, or other confidential data stored by the WordPress installation.

All versions of AffiliateWP up to and including 2.28.2 are affected. Users are advised to update to the latest patched version as soon as possible. No workaround has been provided by the vendor at the time of publication.