Does LWS Affiliation have any unpatched vulnerabilities?

Yes — LWS Affiliation currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is LWS Affiliation compatible with WordPress 6.7.5?

According to WordPress.org data, LWS Affiliation 2.3.6 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is LWS Affiliation compatible with PHP 7.0+?

LWS Affiliation requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is LWS Affiliation updated?

LWS Affiliation was last updated on Feb 25, 2025. Frequent updates are generally a positive security signal.

What is LWS Affiliation's security score?

LWS Affiliation has a WP-Safety security score of 57/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

LWS Affiliation Security & Risk Analysis

wordpress.org/plugins/lws-affiliation

Add banners and widgets from the affiliate program of LWS.

800 active installs v2.3.6 PHP 7.0+ WP 5.0+ Updated Feb 25, 2025

affiliate-programaffiliationhostinglwswidgets

C · Use Caution

CVEs total4

Unpatched1

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is LWS Affiliation Safe to Use in 2026?

Use With Caution

Score 57/100

LWS Affiliation has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

4 known CVEs 1 unpatched Last CVE: Sep 22, 2025Updated 1yr ago

Risk Assessment

The lws-affiliation plugin v2.3.6 exhibits a concerning security posture, despite some positive indicators. While the majority of output is properly escaped and dangerous functions are absent, several critical weaknesses are evident. The presence of one unprotected AJAX handler significantly broadens the attack surface and poses an immediate risk for unauthorized actions. The taint analysis, though limited in scope, did identify a flow with an unsanitized path, which could potentially lead to vulnerabilities if exploited in conjunction with other weaknesses. The plugin's history of four known CVEs, including one critical and one high-severity vulnerability, and notably one unpatched critical vulnerability, is a major red flag. This historical pattern suggests a recurring struggle with secure coding practices, particularly in areas like authorization and file inclusion, demanding significant caution.

Key Concerns

Unpatched critical vulnerability
1 AJAX handler without auth checks
1 flow with unsanitized paths (taint analysis)
2 SQL queries, 0% using prepared statements
Unpatched high severity vulnerability
Bundled library: DataTables
Bundled library: TinyMCE

Vulnerabilities

4 published

LWS Affiliation Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

4 total CVEs

CVE-2025-57934medium · 4.3Cross-Site Request Forgery (CSRF)

LWS Affiliation <= 2.3.6 - Cross-Site Request Forgery

Sep 22, 2025Unpatched

CVE-2024-43962medium · 4.3Missing Authorization

LWS Affiliation <= 2.3.4 - Missing Authorization

Aug 26, 2024 Patched in 2.3.5 (29d)

CVE-2023-32297critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

LWS Affiliation <= 2.2.6 - Unauthenticated Remote/Local File Inclusion

Jul 24, 2023 Patched in 2.3 (183d)

WF-dd02becd-77e5-46b9-acc9-dba6c5caba27-lws-affiliationhigh · 8.8Missing Authorization

LWS Plugins <= (Various Versions) - Missing Authorization Checks

Dec 12, 2022 Patched in 2.2 (407d)

Version History

LWS Affiliation Release Timeline

v2.3.6Current1 CVE

CVE-2025-57934

v2.3.51 CVE

CVE-2025-57934

v2.3.42 CVEs

CVE-2024-43962 CVE-2025-57934

v2.3.32 CVEs

CVE-2024-43962 CVE-2025-57934

v2.3.22 CVEs

CVE-2024-43962 CVE-2025-57934

v2.3.12 CVEs

CVE-2024-43962 CVE-2025-57934

v2.32 CVEs

CVE-2024-43962 CVE-2025-57934

v2.2.63 CVEs

CVE-2023-32297 CVE-2024-43962 CVE-2025-57934

v2.2.53 CVEs

CVE-2023-32297 CVE-2024-43962 CVE-2025-57934

v2.23 CVEs

CVE-2023-32297 CVE-2024-43962 CVE-2025-57934

v2.14 CVEs

CVE-2023-32297 CVE-2024-43962 WF-dd02becd-77e5-46b9-acc9-dba6c5caba27-lws-affiliation +1 more

v2.04 CVEs

CVE-2023-32297 CVE-2024-43962 WF-dd02becd-77e5-46b9-acc9-dba6c5caba27-lws-affiliation +1 more

Code Analysis

Analyzed Mar 16, 2026

LWS Affiliation Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

303 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

DataTablesTinyMCE

SQL Query Safety

0% prepared2 total queries

Output Escaping

96% escaped317 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

lws_aff_setup (lws-affiliation.php:213)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

LWS Affiliation Attack Surface

Entry Points6

Unprotected1

AJAX Handlers 6

authwp_ajax_lws_aff_reminder_ajaxlws-affiliation.php:171

authwp_ajax_lws_aff_donotask_ajaxlws-affiliation.php:181

authwp_ajax_lws_aff_downloadPluginlws-affiliation.php:321

authwp_ajax_lws_aff_activatePluginlws-affiliation.php:325

authwp_ajax_load_banner_modallws-affiliation.php:361

authwp_ajax_load_preview_widgetlws-affiliation.php:1516

WordPress Hooks 12

actioninitlws-affiliation.php:23

filtermce_buttonslws-affiliation.php:31

filtermce_external_pluginslws-affiliation.php:32

actionadmin_noticeslws-affiliation.php:36

filterthe_contentlws-affiliation.php:73

actionadmin_enqueue_scriptslws-affiliation.php:96

actionadmin_noticeslws-affiliation.php:109

actionwp_enqueue_scriptslws-affiliation.php:114

actionadmin_print_scriptslws-affiliation.php:191

actionadmin_menulws-affiliation.php:206

actionadmin_noticeslws-affiliation.php:259

actionadmin_noticeslws-affiliation.php:279

Maintenance & Trust

LWS Affiliation Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedFeb 25, 2025

PHP min version7.0

Downloads48K

Community Trust

Rating100/100

Number of ratings2

Active installs800

Alternatives

LWS Affiliation Alternatives

Eldolink®

eldolink

Eldolink® is an affiliate program that allows you to monetize your traffic. Original wellness contents & products. Win big with Slimdoo®.

10 No CVEs

Hostinger Tools

hostinger

Simplified WordPress management. Manage site info, maintenance, security, & redirects.

3.0M 1 CVE

Classic Widgets

classic-widgets

100

Enables the previous "classic" widgets settings screens in Appearance - Widgets and the Customizer. Disables the block editor from managing widgets.

2.0M No CVEs

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

Join millions who empower their websites with ElementsKit Elementor Addons. Get templates, & 100+ widgets like header-footer, mega menu, custom widget

2.0M 24 CVEs

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 59 CVEs

Developer Profile

LWS Affiliation Developer Profile

Aurélien LWS

6 plugins · 78K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

222 days

View full developer profile

Detection Fingerprints

How We Detect LWS Affiliation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/lws-affiliation/css/admin/style.css/wp-content/plugins/lws-affiliation/css/admin/jquery.dataTables.min.css/wp-content/plugins/lws-affiliation/css/admin/responsive.dataTables.min.css/wp-content/plugins/lws-affiliation/js/jquery.dataTables.min.js/wp-content/plugins/lws-affiliation/js/dataTables.responsive.min.js/wp-content/plugins/lws-affiliation/css/widget/widget.css

Script Paths

/wp-content/plugins/lws-affiliation/js/admin/tinymce-plugin.js/wp-content/plugins/lws-affiliation/js/admin/noneditable/plugin.min.js

HTML / DOM Fingerprints

CSS Classes

lws_aff_review_block_generallws_aff_circlelws_aff_review_block_imagelws_aff_review_block_titlelws_aff_review_block_desclws_aff_button_rate_pluginlws_aff_review_button_secondarylws_aff_hidden

HTML Comments

+1 more

Data Attributes

id="divWidgetDomainAffiliationLWS"class="mceNonEditable"id="divWidgetTableAffiliationLWS"class="mceNonEditable"id="lws_aff_review_notice"class="notice notice-info is-dismissible lws_aff_review_block_general"+2 more

JS Globals

lws_aff_remind_melws_aff_do_not_bother_meaffiliationConfigWidgetImageaffiliationConfigWidgetQueryaffiliationConfigWidgetN

REST Endpoints

/wp-json/lws-affiliation/v1/...

FAQ

LWS Affiliation Security & Risk Analysis

Is LWS Affiliation Safe to Use in 2026?

Use With Caution

Key Concerns

LWS Affiliation Security Vulnerabilities

CVEs by Year

Severity Breakdown

LWS Affiliation Release Timeline

LWS Affiliation Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

LWS Affiliation Attack Surface

AJAX Handlers 6

LWS Affiliation Maintenance & Trust

Maintenance Signals

Community Trust

LWS Affiliation Alternatives

Eldolink®

Hostinger Tools

Classic Widgets

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

Essential Addons for Elementor – Popular Elementor Templates & Widgets

LWS Affiliation Developer Profile

How We Detect LWS Affiliation

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about LWS Affiliation