WP-Safety

ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Security & Risk Analysis

wordpress.org/plugins/thirstyaffiliates

🔗 Affiliate link management & cloaker tool. Easily manage, shrink and track your affiliate links in WordPress. 🔥

30K active installs v3.11.10 PHP 7.4+ WP 6.0+ Updated Jan 20, 2026
affiliate-linksamazon-affiliateslink-shortnerlink-trackingredirects
95
A · Safe
CVEs total5
Unpatched0
Last CVEFeb 2, 2026
Plugin page Download
Safety Verdict

Is ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Safe to Use in 2026?

Generally Safe

Score 95/100

ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Feb 2, 2026Updated 2mo ago
Risk Assessment

The Thirstyaffiliates plugin v3.11.10 presents a mixed security posture. On the positive side, it demonstrates strong adherence to best practices in many areas. A high percentage of SQL queries utilize prepared statements, and a significant majority of output operations are properly escaped, indicating a proactive approach to preventing common web vulnerabilities. The presence of numerous nonce and capability checks further suggests a focus on securing its functionalities. However, several concerns warrant attention. The attack surface is moderately sized with a notable number of unprotected AJAX handlers, representing a potential entry point for unauthorized actions. The taint analysis reveals critical flows, specifically indicating high severity vulnerabilities where input might not be adequately sanitized, posing a risk of data compromise or code execution.

The vulnerability history shows a pattern of past issues including Cross-Site Request Forgery, Missing Authorization, and Cross-site Scripting. While there are no currently unpatched CVEs, the recurring nature of these vulnerability types suggests potential for similar issues to re-emerge if code review and sanitization practices are not rigorously maintained. The fact that the last vulnerability was recorded in early 2026, which is in the future, is highly suspect and needs investigation; this could indicate an error in reporting or a placeholder value that obscures the true recency of security concerns.

In conclusion, Thirstyaffiliates exhibits good practices in areas like output escaping and prepared statements. Nevertheless, the presence of unprotected AJAX endpoints, critical taint flows, and a history of common web vulnerabilities highlight areas that require immediate review and improvement. Addressing these specific weaknesses is crucial to strengthening the plugin's overall security and protecting user data.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Medium severity past CVEs (5)
  • Dangerous function unserialize
  • Flows with unsanitized paths
Vulnerabilities
5

ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
2 CVEs in 2022
2022
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2026-25024medium · 4.3Cross-Site Request Forgery (CSRF)

ThirstyAffiliates <= 3.11.9 - Cross-Site Request Forgery

Feb 2, 2026 Patched in 3.11.10 (9d)
CVE-2025-67537medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ThirstyAffiliates <= 3.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 15, 2025 Patched in 3.11.9 (5d)
CVE-2022-0634medium · 5.4Missing Authorization

ThirstyAffiliates Affiliate Link Manager <= 3.10.4 - Authorization Bypass and Cross-Site Request Forgery

Apr 10, 2022 Patched in 3.10.5 (653d)
CVE-2022-0398medium · 5.4Missing Authorization

ThirstyAffiliates Affiliate Link Manager <= 3.10.4 - Subscriber+ Arbitrary Affiliate Links Creation

Apr 10, 2022 Patched in 3.10.5 (653d)
CVE-2021-24127medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ThirstyAffiliates Affiliate Link Manager <= 3.9.2 - Stored Cross-Site Scripting

May 22, 2020 Patched in 3.9.3 (1341d)
Code Analysis
Analyzed Mar 16, 2026

ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Code Analysis

Dangerous Functions
1
Raw SQL Queries
11
34 prepared
Unescaped Output
89
967 escaped
Nonce Checks
40
Capability Checks
62
File Operations
3
External Requests
11
Bundled Libraries
3

Dangerous Functions Found

unserialize$settings_arr = @unserialize( base64_decode( $global_settings_string ) );Models\Settings.php:2050

Bundled Libraries

Select2TinyMCEjQuery

SQL Query Safety

76% prepared45 total queries

Output Escaping

92% escaped1056 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

12 flows3 with unsanitized paths
ajax_save_click_data_on_redirect (Models\Stats_Reporting.php:292)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
17 unprotected

ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Attack Surface

Entry Points58
Unprotected17

AJAX Handlers 57

authwp_ajax_ta_addon_activateModels\Addons.php:115
authwp_ajax_ta_addon_deactivateModels\Addons.php:116
authwp_ajax_ta_addon_installModels\Addons.php:117
authwp_ajax_ta_get_category_slugModels\Affiliate_Links_CPT.php:1536
authwp_ajax_ta_link_inserted_scannerModels\Affiliate_Links_CPT.php:1537
authwp_ajax_ta_add_attachments_to_affiliate_linkModels\Affiliate_Link_Attachment.php:417
authwp_ajax_ta_remove_attachment_to_affiliate_linkModels\Affiliate_Link_Attachment.php:418
authwp_ajax_ta_insert_external_imageModels\Affiliate_Link_Attachment.php:419
authwp_ajax_ta_close_guided_tourModels\Guided_Tour.php:373
authwp_ajax_ta_link_fixerModels\Link_Fixer.php:290
noprivwp_ajax_ta_link_fixerModels\Link_Fixer.php:291
authwp_ajax_search_affiliate_links_queryModels\Link_Picker.php:705
authwp_ajax_ta_advanced_add_affiliate_linkModels\Link_Picker.php:706
authwp_ajax_ta_get_image_markup_by_idModels\Link_Picker.php:707
authwp_ajax_ta_quick_add_affiliate_link_thickboxModels\Link_Picker.php:710
authwp_ajax_ta_process_quick_add_affiliate_linkModels\Link_Picker.php:711
authwp_ajax_ta_edit_affiliate_link_shortcodeModels\Link_Picker.php:714
authwp_ajax_ta_dismiss_marketing_noticeModels\Marketing.php:528
authwp_ajax_ta_enable_js_redirectModels\Marketing.php:529
authwp_ajax_ta_dismiss_review_promptModels\Marketing.php:530
authwp_ajax_ta_migrate_old_plugin_dataModels\Migration.php:860
authwp_ajax_ta_onboarding_mark_steps_completeModels\Onboarding.php:128
authwp_ajax_ta_onboarding_save_featuresModels\Onboarding.php:130
authwp_ajax_ta_onboarding_load_link_step_contentModels\Onboarding.php:131
authwp_ajax_ta_onboarding_load_create_new_contentModels\Onboarding.php:132
authwp_ajax_ta_onboarding_save_new_linkModels\Onboarding.php:133
authwp_ajax_ta_onboarding_set_contentModels\Onboarding.php:134
authwp_ajax_ta_onboarding_unset_contentModels\Onboarding.php:135
authwp_ajax_ta_onboarding_save_new_categoryModels\Onboarding.php:136
authwp_ajax_ta_onboarding_get_categoryModels\Onboarding.php:137
authwp_ajax_ta_onboarding_import_linksModels\Onboarding.php:138
authwp_ajax_ta_onboarding_unset_categoryModels\Onboarding.php:139
authwp_ajax_ta_onboarding_mark_content_steps_skippedModels\Onboarding.php:140
authwp_ajax_ta_onboarding_load_finish_stepModels\Onboarding.php:141
authwp_ajax_ta_onboarding_re_render_links_listModels\Onboarding.php:142
authwp_ajax_ta_onboarding_load_complete_stepModels\Onboarding.php:143
authwp_ajax_ta_onboarding_install_correct_editionModels\Onboarding.php:144
authwp_ajax_ta_onboarding_install_addonsModels\Onboarding.php:145
authwp_ajax_ta_onboarding_finishModels\Onboarding.php:146
authwp_ajax_ta_dismiss_noticeModels\Script_Loader.php:598
authwp_ajax_ta_dismiss_daily_noticeModels\Script_Loader.php:599
authwp_ajax_ta_dismiss_monthly_noticeModels\Script_Loader.php:600
authwp_ajax_ta_import_settingsModels\Settings.php:2198
authwp_ajax_ta_dismiss_upgrade_headerModels\Settings.php:2199
authwp_ajax_ta_click_data_redirectModels\Stats_Reporting.php:1113
noprivwp_ajax_ta_click_data_redirectModels\Stats_Reporting.php:1114
authwp_ajax_ta_fetch_report_by_linkidModels\Stats_Reporting.php:1115
authwp_ajax_ta_init_first_reportModels\Stats_Reporting.php:1116
authwp_ajax_ta_search_stripe_pricesModels\Stripe.php:1556
authwp_ajax_ta_stripe_add_productModels\Stripe.php:1557
authwp_ajax_ta_dismiss_customer_portal_noticeModels\Stripe.php:1558
authwp_ajax_ta_stripe_connect_update_credsModels\Stripe_Connect.php:131
authwp_ajax_ta_stripe_connect_refreshModels\Stripe_Connect.php:132
authwp_ajax_ta_stripe_connect_disconnectModels\Stripe_Connect.php:133
authwp_ajax_mosh_addon_activatevendor-prefixed\caseproof\ground-level-mothership\Manager\AddonsManager.php:28
authwp_ajax_mosh_addon_deactivatevendor-prefixed\caseproof\ground-level-mothership\Manager\AddonsManager.php:29
authwp_ajax_mosh_addon_installvendor-prefixed\caseproof\ground-level-mothership\Manager\AddonsManager.php:30

Shortcodes 1

[thirstylink] Models\Shortcodes.php:304
WordPress Hooks 131
actionadmin_enqueue_scriptsModels\Addons.php:113
actionin_admin_headerModels\Addons.php:114
actionsave_postModels\Affiliate_Links_CPT.php:1075
filterget_sample_permalink_htmlModels\Affiliate_Links_CPT.php:1550
filterwp_kses_allowed_htmlModels\Affiliate_Links_CPT.php:1551
actionsave_postModels\Affiliate_Links_CPT.php:1555
filtermanage_edit-thirstylink_columnsModels\Affiliate_Links_CPT.php:1558
filtermanage_edit-thirstylink_sortable_columnsModels\Affiliate_Links_CPT.php:1559
actionmanage_thirstylink_posts_custom_columnModels\Affiliate_Links_CPT.php:1560
actionpre_get_postsModels\Affiliate_Links_CPT.php:1561
filterdefault_hidden_columnsModels\Affiliate_Links_CPT.php:1562
actionrestrict_manage_postsModels\Affiliate_Links_CPT.php:1565
filterparse_queryModels\Affiliate_Links_CPT.php:1566
filterposts_joinModels\Affiliate_Links_CPT.php:1569
filterposts_searchModels\Affiliate_Links_CPT.php:1570
filterpost_type_linkModels\Affiliate_Links_CPT.php:1573
filterta_admin_interfacesModels\Affiliate_Links_CPT.php:1576
filterta_menu_itemsModels\Affiliate_Links_CPT.php:1577
actionadmin_menuModels\Affiliate_Links_CPT.php:1580
filteradmin_headModels\Affiliate_Links_CPT.php:1581
actionpre_get_postsModels\Affiliate_Links_CPT.php:1582
filteradmin_urlModels\Affiliate_Links_CPT.php:1583
filtersubmenu_fileModels\Affiliate_Links_CPT.php:1584
actioncurrent_screenModels\Affiliate_Links_CPT.php:1586
filterpre_months_dropdown_queryModels\Affiliate_Links_CPT.php:1587
filterupload_mimesModels\Affiliate_Link_Attachment.php:276
actioncurrent_screenModels\Affiliate_Link_Attachment.php:432
actiondelete_attachmentModels\Affiliate_Link_Attachment.php:433
actionadmin_initModels\Authenticator.php:119
actionadmin_initModels\Authenticator.php:120
actionadmin_initModels\Authenticator.php:121
actionplugins_loadedModels\Bootstrap.php:507
actionwpmu_new_blogModels\Bootstrap.php:514
actioninitModels\Bootstrap.php:519
actioninitModels\Bootstrap.php:521
actionadmin_menuModels\Bootstrap.php:522
actionactivated_pluginModels\Bootstrap.php:523
filtermce_external_pluginsModels\Link_Picker.php:134
filtermce_buttonsModels\Link_Picker.php:135
filtermce_external_pluginsModels\Link_Picker.php:153
filtermce_buttonsModels\Link_Picker.php:154
actionwpModels\Link_Picker.php:727
actionadmin_initModels\Link_Picker.php:730
filtermce_cssModels\Link_Picker.php:731
filterthe_contentModels\Link_Picker.php:733
filterrender_blockModels\Link_Picker.php:734
actionadmin_noticesModels\Marketing.php:544
actionadmin_noticesModels\Marketing.php:545
actionadmin_menuModels\Marketing.php:546
actionadmin_headModels\Marketing.php:547
filteroption_ta_enable_javascript_frontend_redirectModels\Marketing.php:548
filterta_register_side_metaboxesModels\Marketing.php:549
actionadmin_noticesModels\Migration.php:875
filterta_migration_process_old_optionsModels\Migration.php:877
filterta_migration_process_old_optionsModels\Migration.php:878
filterta_migration_process_old_optionsModels\Migration.php:879
actionta_migrate_complex_optionsModels\Migration.php:880
filterta_migration_process_old_link_metaModels\Migration.php:881
actionta_migrate_old_plugin_dataModels\Migration.php:883
actionadmin_noticesModels\Onboarding.php:129
actiontap_license_activatedModels\Onboarding.php:147
actiontap_license_deactivatedModels\Onboarding.php:148
filtermonsterinsights_shareasale_idModels\Onboarding.php:149
actionadmin_noticesModels\Onboarding.php:209
filtersubmenu_fileModels\Onboarding.php:210
actionrest_api_initModels\REST_API.php:351
filterta_rest_api_sanitize_fieldModels\REST_API.php:352
filterpre_update_option_ta_link_prefixModels\Rewrites_Redirection.php:426
filterpre_update_option_ta_link_prefix_customModels\Rewrites_Redirection.php:427
filterpre_update_option_ta_show_cat_in_slugModels\Rewrites_Redirection.php:428
filterpre_update_option_ta_blocked_botsModels\Rewrites_Redirection.php:429
actionupdate_option_ta_enable_bot_crawl_blocker_scriptModels\Rewrites_Redirection.php:430
actionta_after_register_thirstylink_post_typeModels\Rewrites_Redirection.php:431
actionta_after_register_thirstylink_post_typeModels\Rewrites_Redirection.php:432
actiontemplate_redirectModels\Rewrites_Redirection.php:435
filterta_filter_redirect_urlModels\Rewrites_Redirection.php:438
actionwpModels\Rewrites_Redirection.php:442
actionadmin_enqueue_scriptsModels\Script_Loader.php:582
actionwp_enqueue_scriptsModels\Script_Loader.php:583
actionelementor/editor/before_enqueue_scriptsModels\Script_Loader.php:586
actionenqueue_block_editor_assetsModels\Script_Loader.php:589
actionadmin_footerModels\Script_Loader.php:592
actionin_admin_footerModels\Script_Loader.php:595
actionadmin_enqueue_scriptsModels\Settings.php:2183
actionadmin_initModels\Settings.php:2436
actionadmin_menuModels\Settings.php:2437
actioncurrent_screenModels\Settings.php:2438
actionta_before_settings_formModels\Settings.php:2440
actionta_before_settings_formModels\Settings.php:2441
actionpre_update_option_ta_link_prefixModels\Settings.php:2442
actionpre_update_option_ta_link_prefix_customModels\Settings.php:2443
filterta_admin_interfacesModels\Settings.php:2445
filterta_menu_itemsModels\Settings.php:2446
actionin_admin_headerModels\Settings.php:2448
actionadmin_footerModels\Settings.php:2449
filterta_filter_before_save_clickModels\Stats_Reporting.php:1132
actionta_before_link_redirectModels\Stats_Reporting.php:1133
actionadmin_menuModels\Stats_Reporting.php:1134
actionta_register_reportsModels\Stats_Reporting.php:1135
actionbefore_delete_postModels\Stats_Reporting.php:1137
filterta_admin_interfacesModels\Stats_Reporting.php:1139
filterta_menu_itemsModels\Stats_Reporting.php:1140
actionadmin_noticesModels\Stripe.php:1559
filterta_affiliate_link_extended_dataModels\Stripe.php:1572
filterta_save_affiliate_link_postModels\Stripe.php:1573
filterta_filter_redirect_urlModels\Stripe.php:1574
actionta_before_link_redirectModels\Stripe.php:1575
actionadmin_enqueue_scriptsModels\Stripe.php:1576
actionadmin_footerModels\Stripe.php:1577
filterta_thirstypay_settingsModels\Stripe.php:1578
filterta_supported_field_typesModels\Stripe.php:1579
filterta_supported_field_typesModels\Stripe.php:1580
filterpre_update_option_ta_thirstypay_thank_you_page_idModels\Stripe.php:1581
filterta_supported_field_typesModels\Stripe.php:1582
actionparse_requestModels\Stripe.php:1583
actionwp_enqueue_scriptsModels\Stripe.php:1584
filterthe_contentModels\Stripe.php:1585
filterta_link_insert_extend_data_attributesModels\Stripe.php:1586
filterdisplay_post_statesModels\Stripe.php:1587
actionta_settings_errorsModels\Stripe.php:1588
actionadmin_initModels\Stripe_Connect.php:127
actionadmin_noticesModels\Stripe_Connect.php:128
actionupdate_option_homeModels\Stripe_Connect.php:129
actionupdate_option_siteurlModels\Stripe_Connect.php:130
filterta_settings_option_sectionsModels\Stripe_Connect.php:134
filterta_settings_section_optionsModels\Stripe_Connect.php:135
actionta_before_settings_section_fieldsModels\Stripe_Connect.php:136
actionadmin_noticesthirstyaffiliates.php:118
actioninitthirstyaffiliates.php:294
filtersite_transient_update_pluginsvendor-prefixed\caseproof\ground-level-mothership\Manager\AddonsManager.php:31
actionadmin_menuvendor-prefixed\caseproof\growth-tools\src\App.php:47
Maintenance & Trust

ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 20, 2026
PHP min version7.4
Downloads1.3M

Community Trust

Rating92/100
Number of ratings250
Active installs30K
Alternatives

ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Alternatives

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

pretty-link

A
90

🌠 The best WordPress link management, branding, tracking, sharing and payments plugin. Easily make pretty & trackable shortlinks. 🔗

300K 8 CVEs
BetterLinks – URL Shortener, Link Tracking, Analytics & Affiliate Link Manager

BetterLinks – URL Shortener, Link Tracking, Analytics & Affiliate Link Manager

betterlinks

A
98

Ultimate plugin to create, shorten, track and manage any URL. Gather analytics reports and run successful marketing campaigns easily.

20K 3 CVEs
Affiliate Link Tracker

Affiliate Link Tracker

affiliate-link-tracker

C
63

Advanced affiliate link tracker for tracking where your affiliate conversions come from.

400 1 unpatched
LinkCentral – URL shortener, Custom Links & Affiliate Link Shortener with Link Tracking

LinkCentral – URL shortener, Custom Links & Affiliate Link Shortener with Link Tracking

linkcentral

A
100

The easiest URL shortener, short links manager, and link tracking plugin. Fast and optimised for better short links, redirects and affiliate links.

300 No CVEs
ShortLinks Pro – Affiliate Links, Link Shortening, Click Tracking & Marketing

ShortLinks Pro – Affiliate Links, Link Shortening, Click Tracking & Marketing

shortlinkspro

A
99

Shorten, track, manage and share any URL using your own domain name!

100 1 CVE
Developer Profile

ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Developer Profile

Blair Williams

4 plugins · 630K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
1044 days
View full developer profile
Detection Fingerprints

How We Detect ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/thirstyaffiliates/assets/css/admin.css/wp-content/plugins/thirstyaffiliates/assets/css/frontend.css/wp-content/plugins/thirstyaffiliates/assets/css/themes.css/wp-content/plugins/thirstyaffiliates/assets/css/wp-editor.css/wp-content/plugins/thirstyaffiliates/assets/js/admin.js/wp-content/plugins/thirstyaffiliates/assets/js/buddyboss-integration.js/wp-content/plugins/thirstyaffiliates/assets/js/frontend.js/wp-content/plugins/thirstyaffiliates/assets/js/link-picker.js+4 more
Script Paths
/wp-content/plugins/thirstyaffiliates/assets/js/admin.js/wp-content/plugins/thirstyaffiliates/assets/js/frontend.js/wp-content/plugins/thirstyaffiliates/assets/js/link-picker.js/wp-content/plugins/thirstyaffiliates/assets/js/notifications.js/wp-content/plugins/thirstyaffiliates/assets/js/shortcode-generator.js/wp-content/plugins/thirstyaffiliates/assets/js/stats.js
Version Parameters
thirstyaffiliates/assets/css/admin.css?ver=thirstyaffiliates/assets/css/frontend.css?ver=thirstyaffiliates/assets/css/themes.css?ver=thirstyaffiliates/assets/css/wp-editor.css?ver=thirstyaffiliates/assets/js/admin.js?ver=thirstyaffiliates/assets/js/buddyboss-integration.js?ver=thirstyaffiliates/assets/js/frontend.js?ver=thirstyaffiliates/assets/js/link-picker.js?ver=thirstyaffiliates/assets/js/notifications.js?ver=thirstyaffiliates/assets/js/shortcode-generator.js?ver=thirstyaffiliates/assets/js/stats.js?ver=thirstyaffiliates/assets/js/thirsty-affiliates-react.js?ver=

HTML / DOM Fingerprints

CSS Classes
ta-link-settingsta-link-categoriesta-link-groupsta-link-categories-listta-link-groups-listta-add-new-linkta-edit-linkta-manage-links-table+19 more
HTML Comments
<!-- ThirstyAffiliates --><!-- End ThirstyAffiliates --><!-- TA Stats --><!-- TA Stats END -->+16 more
Data Attributes
data-ta-actiondata-ta-noncedata-ta-link-iddata-ta-link-slugdata-ta-link-titledata-ta-link-url+14 more
JS Globals
ThirstyAffiliatesTA_AdminTA_FrontendTA_LinkPickerTA_NotificationsTA_ShortcodeGenerator+7 more
REST Endpoints
/wp-json/thirstyaffiliates/v1/links/wp-json/thirstyaffiliates/v1/categories/wp-json/thirstyaffiliates/v1/groups/wp-json/thirstyaffiliates/v1/settings/wp-json/thirstyaffiliates/v1/stats/wp-json/thirstyaffiliates/v1/notifications
Shortcode Output
[thirstylink][thirstylink-click-tracking][thirstylink-categories][thirstylink-groups]
FAQ

Frequently Asked Questions about ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin