WP-Safety

Auto Affiliate Links Security & Risk Analysis

wordpress.org/plugins/wp-auto-affiliate-links

Automatically display affiliate links in your website content so you can make more money. It is also working well for internal linking.

3K active installs v6.8.3.1 PHP + WP 3.5+ Updated Mar 11, 2026
affiliateautocontentkeywordsposts
91
A · Safe
CVEs total10
Unpatched0
Last CVESep 18, 2024
Plugin page Download
Safety Verdict

Is Auto Affiliate Links Safe to Use in 2026?

Generally Safe

Score 91/100

Auto Affiliate Links has a strong security track record. Known vulnerabilities have been patched promptly.

10 known CVEsLast CVE: Sep 18, 2024Updated 23d ago
Risk Assessment

The plugin "wp-auto-affiliate-links" v6.8.4 exhibits a concerning security posture, primarily due to a significant number of unprotected entry points and a history of diverse and severe vulnerabilities. While the static analysis indicates a lack of dangerous functions and a reasonable number of nonce and capability checks, the presence of 7 AJAX handlers without authentication is a critical weakness, opening the door for unauthorized actions. The taint analysis, while not showing critical or high severity flows, still reveals 7 flows with unsanitized paths, suggesting potential risks if these paths are exposed to user input. The vulnerability history is a major red flag, with 10 known CVEs, including past critical vulnerabilities of SQL Injection, Missing Authorization, CSRF, and Improper Access Control. The fact that these critical issues have been resolved is positive, but the sheer number and type of past vulnerabilities indicate a pattern of insecure coding practices within the plugin that attackers have historically exploited. While the current version may have patched its known CVEs, the substantial unprotected attack surface and the historical pattern of serious flaws necessitate caution.

Key Concerns

  • 7 unprotected AJAX handlers
  • 7 flows with unsanitized paths
  • SQL queries: 85% not using prepared statements
  • Output escaping: 67% not properly escaped
  • Total 10 known CVEs historically
  • Past critical vulnerabilities (SQLi, Missing Auth)
Vulnerabilities
10

Auto Affiliate Links Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
5 CVEs in 2023
2023
4 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
2
Medium
8

10 total CVEs

CVE-2024-9838medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Auto Affiliate Links <= 6.4.6 - Authenticated (Admin+) SQL Injection

Sep 18, 2024 Patched in 6.4.7 (254d)
CVE-2024-34386critical · 9.1Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Auto Affiliate Links <= 6.4.3.1 - Authenticated (Editor+) SQL Injection

May 6, 2024 Patched in 6.4.4 (2d)
CVE-2024-1843medium · 4.3Missing Authorization

Auto Affiliate Links <= 6.4.3 - Missing Authorization via aalAddLink

Mar 11, 2024 Patched in 6.4.3.1 (3d)
WF-d89918e1-b525-4d32-9b11-5e014eb02c16-wp-auto-affiliate-linksmedium · 5.8Cross-Site Request Forgery (CSRF)

Auto Affiliate Links <= 6.4.2.7 - Cross-Site Request Forgery

Jan 9, 2024 Patched in 6.4.2.8 (14d)
WF-17453fa5-af14-477b-9b3d-b245511ad8ce-wp-auto-affiliate-linksmedium · 4.3Cross-Site Request Forgery (CSRF)

Auto Affiliate Links <= 6.4.2.5 - Cross-Site Request Forgery

Nov 20, 2023 Patched in 6.4.2.6 (64d)
CVE-2023-47652medium · 6.1Cross-Site Request Forgery (CSRF)

Auto Affiliate Links <= 6.4.2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Nov 7, 2023 Patched in 6.4.2.5 (77d)
CVE-2023-25973medium · 4.3Cross-Site Request Forgery (CSRF)

Auto Affiliate Links <= 6.3.0.2 - Cross-Site Request Forgery via aalChangeOptions function

Feb 22, 2023 Patched in 6.3.0.3 (335d)
CVE-2022-45840medium · 5.4Improper Access Control

Auto Affiliate Links <= 6.2.1.5 - Authenticated (Subscriber+) Plugin Settings Change

Feb 6, 2023 Patched in 6.2.1.6 (351d)
CVE-2023-22689medium · 4.3Cross-Site Request Forgery (CSRF)

Auto Affiliate Links <= 6.3 - Cross-Site Request Forgery via aalDeleteLink function

Feb 2, 2023 Patched in 6.3.0.1 (355d)
WF-438d73bb-80f1-460f-8c62-2a40856e4c29-wp-auto-affiliate-linkscritical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Auto Affiliate Links < 5.0 - SQL Injection

Jul 15, 2015 Patched in 5.0 (3114d)
Code Analysis
Analyzed Mar 16, 2026

Auto Affiliate Links Code Analysis

Dangerous Functions
0
Raw SQL Queries
28
5 prepared
Unescaped Output
197
95 escaped
Nonce Checks
27
Capability Checks
20
File Operations
7
External Requests
3
Bundled Libraries
0

SQL Query Safety

15% prepared33 total queries

Output Escaping

33% escaped292 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

17 flows7 with unsanitized paths
aal_ajax_get_ai_keywords (aal_ajax.php:345)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Auto Affiliate Links Attack Surface

Entry Points19
Unprotected7

AJAX Handlers 18

authwp_ajax_aal_get_ai_keywordsaal_ajax.php:343
authwp_ajax_aal_cache_setaal_cache.php:6
noprivwp_ajax_aal_cache_setaal_cache.php:7
authwp_ajax_aal_cache_getaal_cache.php:77
noprivwp_ajax_aal_cache_getaal_cache.php:78
authwp_ajax_aal_dismiss_noticeaal_install.php:262
authwp_ajax_aal_stats_saveaal_stats.php:291
noprivwp_ajax_aal_stats_saveaal_stats.php:292
authwp_ajax_aal_url_checkaal_urlcheck.php:36
authwp_ajax_aal_amazon_getmodules\amazon\amazon.php:11
noprivwp_ajax_aal_amazon_getmodules\amazon\amazon.php:12
authwp_ajax_aal_delete_linkWP-auto-affiliate-links.php:241
authwp_ajax_aal_update_linkWP-auto-affiliate-links.php:242
authwp_ajax_aal_add_linkWP-auto-affiliate-links.php:243
authwp_ajax_aal_kw_suggestionWP-auto-affiliate-links.php:244
authwp_ajax_aal_change_optionsWP-auto-affiliate-links.php:245
authwp_ajax_aal_add_exclude_postsWP-auto-affiliate-links.php:246
authwp_ajax_aal_update_exclude_postsWP-auto-affiliate-links.php:247

Shortcodes 1

[autolink] aal_shortcodelinking.php:84
WordPress Hooks 55
actionadmin_initaal_apimanagement.php:14
actionadmin_post_wpaal_api_delete_cacheaal_apimanagement.php:34
actionadmin_initaal_excludecats.php:4
actionadmin_initaal_excludewords.php:4
actionwpmu_new_blogaal_install.php:214
actionadmin_noticesaal_install.php:261
actionadd_meta_boxesaal_metabox.php:20
actionsave_postaal_metabox.php:136
actionadmin_initaal_stats.php:5
actionwp_enqueue_scriptsaal_stats.php:259
actionadmin_footeraal_urlcheck.php:18
actionwidgets_initaal_widget.php:79
actionadmin_initmodules\amazon\amazon.php:454
actionadmin_initmodules\awin\awin.php:10
actionadmin_initmodules\bestbuy\bestbuy.php:11
actionadmin_initmodules\cj\cj.php:11
actionadmin_initmodules\clickbank\clickbank.php:10
actionadmin_initmodules\customfeed.php:53
actionadmin_initmodules\discoveryjapan\discoveryjapan.php:12
actionadmin_initmodules\ebay\ebay.php:11
actionadmin_initmodules\envato\envato.php:11
actionadmin_initmodules\rakuten\rakuten.php:11
actionadmin_initmodules\shareasale\shareasale.php:11
actionadmin_initmodules\walmart\walmart.php:11
actionwp_footerWP-auto-affiliate-links.php:77
actioninitWP-auto-affiliate-links.php:130
filterthe_contentWP-auto-affiliate-links.php:133
filtertablepress_table_outputWP-auto-affiliate-links.php:138
filterbp_get_the_profile_field_valueWP-auto-affiliate-links.php:141
filterbp_get_activity_content_bodyWP-auto-affiliate-links.php:142
filterwpsc_the_product_descriptionWP-auto-affiliate-links.php:145
filterbricks/frontend/render_dataWP-auto-affiliate-links.php:148
filterbbp_get_topic_contentWP-auto-affiliate-links.php:152
filterbbp_get_reply_contentWP-auto-affiliate-links.php:153
filterwpforo_content_afterWP-auto-affiliate-links.php:159
filterrwmb_metaWP-auto-affiliate-links.php:183
filterasgarosforum_filter_post_contentWP-auto-affiliate-links.php:187
filterpeepso_activity_content_beforeWP-auto-affiliate-links.php:190
filterwprm_get_templateWP-auto-affiliate-links.php:193
filterem_event_outputWP-auto-affiliate-links.php:196
filterelementor/frontend/the_contentWP-auto-affiliate-links.php:199
filterthe_contentWP-auto-affiliate-links.php:202
filterwps_forum_item_content_filterWP-auto-affiliate-links.php:207
filterget_the_excerptWP-auto-affiliate-links.php:211
filtercategory_descriptionWP-auto-affiliate-links.php:215
filterwidget_textWP-auto-affiliate-links.php:222
actionadmin_initWP-auto-affiliate-links.php:232
actionadmin_initWP-auto-affiliate-links.php:233
actionadmin_menuWP-auto-affiliate-links.php:234
actioninitWP-auto-affiliate-links.php:235
actionquery_varsWP-auto-affiliate-links.php:236
actionwpWP-auto-affiliate-links.php:237
actionwp_print_scriptsWP-auto-affiliate-links.php:238
actionadmin_footerWP-auto-affiliate-links.php:240
actionwp_enqueue_scriptsWP-auto-affiliate-links.php:248
Maintenance & Trust

Auto Affiliate Links Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version
Downloads951K

Community Trust

Rating82/100
Number of ratings39
Active installs3K
Alternatives

Auto Affiliate Links Alternatives

Automatic Post Tagger

Automatic Post Tagger

automatic-post-tagger

A
85

Adds relevant taxonomy terms to posts using a keyword list provided by the user.

2K No CVEs
Keywords to Links Converter

Keywords to Links Converter

links-auto-replacer

A
92

Convert your post content keywords to Links automatically, Using the same links over and over again in your posts? This is the solution.

900 No CVEs
Automated Keywords Generator

Automated Keywords Generator

automated-keywords-generator

A
85

Automatically adds keywords and description meta tag on every page based on title, tags, categories, etc. Simple but powerful !

100 No CVEs
RankYak – AI SEO Agent for Autoblogging

RankYak – AI SEO Agent for Autoblogging

rankyak

A
100

RankYak's AI Agents automate SEO — finding keywords, planning content, and publishing optimized articles to boost traffic and rankings effortlessly.

80 No CVEs
Duplicate and Auto Draft Cleaner

Duplicate and Auto Draft Cleaner

duplicate-and-auto-draft-cleaner

A
100

Clean auto-drafts and duplicate posts with manual controls, scheduled cleanup, activity logs, and safer delete confirmation.

50 No CVEs
Developer Profile

Auto Affiliate Links Developer Profile

Lucian Apostol

6 plugins · 3K total installs

69
trust score
Avg Security Score
86/100
Avg Patch Time
457 days
View full developer profile
Detection Fingerprints

How We Detect Auto Affiliate Links

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-auto-affiliate-links/css/style.css/wp-content/plugins/wp-auto-affiliate-links/js/api.js/wp-content/plugins/wp-auto-affiliate-links/js/js.js
Script Paths
js/api.jsjs/js.js
Version Parameters
wp-auto-affiliate-links/css/style.css?ver=wp-auto-affiliate-links/js/api.js?ver=wp-auto-affiliate-links/js/js.js?ver=

HTML / DOM Fingerprints

JS Globals
ajax_scriptaal_amazon_objaal_data
FAQ

Frequently Asked Questions about Auto Affiliate Links