Does Awin Data Feed have any unpatched vulnerabilities?

No. All known vulnerabilities in Awin Data Feed have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Awin Data Feed compatible with WordPress 6.8.5?

According to WordPress.org data, Awin Data Feed 1.8.7 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Awin Data Feed compatible with PHP 8.1+?

Awin Data Feed requires PHP 8.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Awin Data Feed updated?

Awin Data Feed was last updated on Aug 27, 2025. Frequent updates are generally a positive security signal.

What is Awin Data Feed's security score?

Awin Data Feed has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Awin Data Feed Security & Risk Analysis

wordpress.org/plugins/awin-data-feed

This plugin allows you to import your Awin Datafeed and sell the products from any widget area.

200 active installs v1.8.7 PHP 8.1+ WP 3.5+ Updated Aug 27, 2025

affiliateaffiliate-windowawinawin-data-feedzanox

A · Safe

CVEs total2

Unpatched0

Last CVEJun 16, 2022

Plugin page Download

Safety Verdict

Is Awin Data Feed Safe to Use in 2026?

Generally Safe

Score 99/100

Awin Data Feed has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jun 16, 2022Updated 7mo ago

Risk Assessment

The awin-data-feed plugin v1.8.7 exhibits a mixed security posture. While it shows good practices in areas like a high percentage of prepared SQL statements and properly escaped output, significant concerns arise from its attack surface and lack of authentication checks. The plugin exposes four AJAX handlers without any authentication, creating a direct pathway for unauthenticated attackers to interact with potentially sensitive functionality. This is exacerbated by the taint analysis revealing two high-severity flows with unsanitized paths, indicating that user-supplied data entering these entry points is not adequately validated, potentially leading to various injection attacks.

The plugin's vulnerability history, with two known CVEs including a high-severity Cross-Site Scripting (XSS) vulnerability, further reinforces the identified risks. Although no currently unpatched CVEs are listed, the pattern of past vulnerabilities, particularly XSS, suggests a recurring weakness in input sanitization and output escaping, even with a high percentage of properly escaped outputs noted in the static analysis. The presence of unsanitized paths in taint flows directly correlates with the historical XSS issues.

In conclusion, while the plugin demonstrates some positive security practices, the high number of unprotected AJAX endpoints coupled with critical taint flows and a history of XSS vulnerabilities paint a concerning picture. The lack of capability checks on all identified entry points and the presence of unsanitized paths are the most significant weaknesses that require immediate attention. Users should be cautious until these issues are addressed.

Key Concerns

AJAX handlers without auth checks
High severity unsanitized taint flows
History of High severity CVE (XSS)
History of Medium severity CVE
Lack of capability checks on entry points
Low number of nonce checks for entry points

Vulnerabilities

Awin Data Feed Security Vulnerabilities

CVEs by Year

2 CVEs in 2022

2022

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2022-1937medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Awin Data Feed <= 1.7 - Reflected Cross-Site Scripting

Jun 16, 2022 Patched in 1.8 (586d)

CVE-2022-1938high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Awin Data Feed <= 1.7 - Unauthenticated Stored Cross-Site Scripting

Jun 16, 2022 Patched in 1.8 (586d)

Code Analysis

Analyzed Mar 16, 2026

Awin Data Feed Code Analysis

Dangerous Functions

Raw SQL Queries

11 prepared

Unescaped Output

54 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

65% prepared17 total queries

Output Escaping

87% escaped62 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

track_user_click (src\Datafeed\Models\AjaxHandler.php:60)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Awin Data Feed Attack Surface

Entry Points5

Unprotected4

AJAX Handlers 4

authwp_ajax_get_sw_productsrc\Datafeed\Models\AjaxHandler.php:29

noprivwp_ajax_get_sw_productsrc\Datafeed\Models\AjaxHandler.php:30

authwp_ajax_track_user_clicksrc\Datafeed\Models\AjaxHandler.php:33

noprivwp_ajax_track_user_clicksrc\Datafeed\Models\AjaxHandler.php:34

Shortcodes 1

[AWIN_DATA_FEED] src\Datafeed\Models\ShortcodeHandler.php:9

WordPress Hooks 8

actionplugins_loadedAWDatafeed.php:26

actionadmin_menusrc\Datafeed\Views\AbstractSettings.php:58

actionadmin_initsrc\Datafeed\Views\AbstractSettings.php:59

actionadmin_noticessrc\Datafeed\Views\AbstractSettings.php:60

actionwp_enqueue_scriptssrc\Datafeed\Widget.php:19

actionwp_enqueue_scriptssrc\Datafeed\Widget.php:20

actionadmin_enqueue_scriptssrc\Datafeed\Widget.php:21

actionwidgets_initsrc\Datafeed\Widget.php:23

Maintenance & Trust

Awin Data Feed Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedAug 27, 2025

PHP min version8.1

Downloads14K

Community Trust

Rating0/100

Number of ratings0

Active installs200

Alternatives

Awin Data Feed Alternatives

Awin – Advertiser Tracking for WooCommerce

awin-advertiser-tracking

Awin is a global affiliate network with over 200,000 contributing publishers and 29,500 advertisers, connecting customers with brands in over 180 coun …

1K 1 CVE

Awin Publisher MasterTag

convert-a-link

100

The Awin Publisher MasterTag allows you to access and enable technology from Awin and our partners.

1K No CVEs

affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display

affiliate-toolkit-starter

Fast & Compatible with every WordPress Theme: With our plugin for WordPress, you can easily create and add your affiliate products to your website.

3K 13 CVEs

Affiliate Power – Sales Tracking for Affiliate Marketers

affiliate-power

Affiliate Power imports your sales of various affiliate networks. Thanks to the additional tracking of posts, referer, URL-Parameters and devices, you …

100 1 CVE

Affiliate AI Lite

affiliate-ai-lite

Amazon affiliate plugin that lets you add product boxes with your affiliate links to any page or post.

50 1 CVE

Developer Profile

Awin Data Feed Developer Profile

Awin

3 plugins · 2K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

399 days

View full developer profile

Detection Fingerprints

How We Detect Awin Data Feed

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/awin-data-feed/assets/aw-styles.css/wp-content/plugins/awin-data-feed/assets/awindatafeed.js/wp-content/plugins/awin-data-feed/src/Datafeed/Views/Widget/form.html/wp-content/plugins/awin-data-feed/src/Datafeed/Views/Widget/widget.php

Script Paths

/wp-content/plugins/awin-data-feed/assets/awindatafeed.js

Version Parameters

awindatafeed-styleawindatafeed

HTML / DOM Fingerprints

CSS Classes

mfc-textwidgetContentScajaxResponseScnextScajaxResponseHorizontalScnextHorizontalSc

Data Attributes

name="swFeedSc"id="swFeedSc"name="title"name="keywords"name="displayCount"name="layout"+4 more

JS Globals

awindatafeed_params

REST Endpoints

/wp-json/

Shortcode Output

<form name="swFeedSc" id="swFeedSc"><input name="title" type="hidden"<input name="keywords" type="hidden"<input name="displayCount" type="hidden"

FAQ