[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxrl4xaAMaFr9D3Ios7lmzlVII7PdDlNCFsUQr1DICks":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-24592","auto-affiliate-links-missing-authorization","Auto Affiliate Links \u003C= 6.8.8.3 - Missing Authorization","The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.8.8.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-auto-affiliate-links",null,"\u003C=6.8.8.3","6.8.9","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-25 00:00:00","2026-06-18 18:28:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdfc5d4a0-e651-4ecc-b584-9beed9f6e5fb?source=api-prod",25,[22,23,24,25],"WP-auto-affiliate-links.php","aal_cache.php","js\u002Fapi.js","readme.txt","researched",false,3,"I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for compromising security vulnerabilities.\n\nFor information on how to secure WordPress installations and protect against unauthorized access or missing authorization vulnerabilities, I recommend consulting the following resources:\n\n*   **WordPress Developer Resources on Plugin Security**: Specifically the sections on [Roles and Capabilities](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002Froles-and-capabilities\u002F) and [Nonces](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002Fnonces\u002F).\n*   **OWASP Top 10**: The [Broken Access Control](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2017\u002FA5_2017-Broken_Access_Control) category provides general guidance on implementing proper authorization checks.\n*   **Common Vulnerabilities and Exposures (CVE) Database**: You can review the official entry for CVE-2026-24592 (if available) or similar vulnerabilities to understand the vendor's remediation advice and patch details.\n\nMaintaining secure code involves ensuring that every endpoint—especially those accessible via AJAX or the REST API—includes both a nonce check for CSRF protection and a capability check (using `current_user_can()`) to verify the user has the appropriate permissions to perform the requested action.","The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized post meta modification due to missing capability checks and insecure nonce usage in the `aal_cache_set_func` AJAX handler. This allows unauthenticated attackers to overwrite the 'aal_cache_links' metadata of any post, potentially injecting arbitrary affiliate links or modifying site content.","\u002F\u002F aal_cache.php\n\nadd_action( 'wp_ajax_aal_cache_set', 'aal_cache_set_func' );\nadd_action( 'wp_ajax_nopriv_aal_cache_set', 'aal_cache_set_func' );\n\n\nfunction aal_cache_set_func() {\n\t\n\tcheck_ajax_referer( 'aalcachesetnonce', 'cachesetnonce' ); \n\t\n\t\n\tif(isset($_POST['aalpostid']) && $_POST['aalpostid'] && is_numeric(substr($_POST['aalpostid'], 0, 5)) ) {\n\t\t\n\t\t$postidnr = substr(sanitize_text_field($_POST['aalpostid']), 0, 5);\n\t\t$links = array();\n\t\t\u002F\u002F$links = array_map( 'sanitize_text_field', $_POST['aalcachelinks'] );\n\t\t\u002F\u002Fprint_r($_POST['aalcachelinks']);\n\t\tforeach($_POST['aalcachelinks'] as $l) {\n\t\t\t$lob = new stdClass();\n\t\t\t$lob->url = sanitize_text_field($l['url']);\n\t\t\t$lob->key = sanitize_text_field($l['key']);\n\t\t\t$links[] = $lob;\n\t\t\n\t\t}\n\n        \u002F\u002F ...\n\n\t\tif(get_post_status($postidnr)) { \n\t\t\t$return = update_post_meta($postidnr, 'aal_cache_links', $jsonlinks);\n\t\t}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-auto-affiliate-links\u002F6.8.8.3\u002Faal_cache.php\t2026-05-12 09:39:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-auto-affiliate-links\u002F6.8.9\u002Faal_cache.php\t2026-05-27 12:52:26.000000000 +0000\n@@ -8,69 +8,94 @@\n \n \n function aal_cache_set_func() {\n-\t\n-\tcheck_ajax_referer( 'aalcachesetnonce', 'cachesetnonce' ); \n-\t\n-\t\n-\tif(isset($_POST['aalpostid']) && $_POST['aalpostid'] && is_numeric(substr($_POST['aalpostid'], 0, 5)) ) {\n-\t\t\n-\t\t$postidnr = substr(sanitize_text_field($_POST['aalpostid']), 0, 5);\n-\t\t$links = array();\n-\t\t\u002F\u002F$links = array_map( 'sanitize_text_field', $_POST['aalcachelinks'] );\n-\t\t\u002F\u002Fprint_r($_POST['aalcachelinks']);\n-\t\tforeach($_POST['aalcachelinks'] as $l) {\n-\t\t\t$lob = new stdClass();\n-\t\t\t$lob->url = sanitize_text_field($l['url']);\n-\t\t\t$lob->key = sanitize_text_field($l['key']);\n-\t\t\t$links[] = $lob;\n-\t\t\n-\t\t}\n-\t\t\u002F\u002F$links = $_POST['aalcachelinks'];\n-\t\t\n-\t\t$awidgets = '';\n-\t\tif(isset($_POST['aalcacheawidget']) && is_array($_POST['aalcacheawidget'])) {\n-\t\t\t$awidgets = array();\n-\t\t\tforeach($_POST['aalcacheawidget'] as $w) {\n-\t\t\t\t\n-\t\t\t\t$wob = new stdClass();\n-\t\t\t\t$wob->price = sanitize_text_field($w['price']);\n-\t\t\t\t$wob->url = sanitize_text_field($w['url']);\t\n-\t\t\t\t$wob->image = sanitize_text_field($w['image']);\t\n-\t\t\t\t$wob->title = sanitize_text_field($w['title']);\t\t\t\t\n-\t\t\t\t$awidgets[] = $wob;\n-\t\t\t}\t\t\n-\t\t\n-\t\t\n-\t\t}\n-\t\t\n-\t\t\n-\t\t$response = new stdClass();\n-\t\t$response->links = $links;\n-\t\tif(is_array($awidgets)) $response->amazonwidget = $awidgets;\n-\t\t$response->updated = time();\n-\t\t$jsonlinks = json_encode($response);\n-\t\t\n-\t\tif(get_post_status($postidnr)) { \n-\t\t\n-\t\t\t\n-\t\t\n-\t\t\n-\t\t\t$return = update_post_meta($postidnr, 'aal_cache_links', $jsonlinks);\n-\t\t\n-\t\t\n-\t\t\t\u002F\u002Fecho $return;\n-\t\t}\n-\t\telse {\n-\t\t\techo 'nopost';\t\t\n-\t\t}\n-\t}\n-\t\n-\telse {\n-\t\techo 'failed';\n-\t}\n-\t\n-\texit();\n-\tdie();\n+    \n+    check_ajax_referer( 'aalcachesetnonce', 'cachesetnonce' ); \n+    \n+    if ( !isset($_POST['api_payload']) || !isset($_POST['api_signature']) ) {\n+        echo 'failed';\n+        wp_die();\n+    }\n+\n+    $payload_string = wp_unslash($_POST['api_payload']);\n+    $signature = base64_decode(wp_unslash($_POST['api_signature']));\n+\n+    $public_key = \u003C\u003C\u003C'EOD'\n+-----BEGIN PUBLIC KEY-----\n+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzMt3P4hcTE\u002FKxjVPtqVn\n+wtQ4\u002FEyPRBtpqZx\u002FYsshRNveLqCdM9425VDLJ\u002FSRbVp0FvtyfQ4PODWIv+PpLcfO\n+zd\u002FYQRq50JMfcS61Iyuamt0mcodzS321qfkAav0+kWca8fcv6Lulkt41QpXLSQAj\n+wQc9+WBvvVNmhYB5c0q54S+uGc3JGludyu+MRZf7n+mMcI6G5Hv4DRasPNkAni6L\n+iMhR4558mt5LREXTEKJCKk0rfUNOsgJkjYGx0F1qaGaMHaUwcjKgFDJyOpxmfdJC\n+wpd\u002F9NGelgAn5W\u002FNReGSTKpJcutkGGIJwYwYtrA9Zi6Qxnz0Kt0d7wvg\u002FUZ6WpWn\n+ZwIDAQAB\n+-----END PUBLIC KEY-----\n+EOD;\n+\n+    \n+    $is_valid = openssl_verify($payload_string, $signature, $public_key, OPENSSL_ALGO_SHA256);\n+\n+    if ( $is_valid !== 1 ) {\n+        echo 'failed';\n+        wp_die();\n+    }    \n+\n+    \n+    $cache_data = json_decode($payload_string, true);\n+\n+    if(isset($_POST['aalpostid']) && !empty($_POST['aalpostid'])) {\n+        \n+        \n+        $postidnr = intval(preg_replace('\u002F[^0-9]\u002F', '', $_POST['aalpostid']));\n+        \n+        if ($postidnr === 0 || !get_post_status($postidnr)) {\n+            echo 'nopost';\n+            wp_die();\n+        }\n+\n+        \n+        $links = array();\n+        if(isset($cache_data['links']) && is_array($cache_data['links'])) {\n+            foreach($cache_data['links'] as $l) {\n+                $lob = new stdClass();\n+                \u002F\u002F Folosim sanitize_url care e specific pentru link-uri, eliminând scripturile\n+                $lob->url = sanitize_url($l['url']);\n+                $lob->key = sanitize_text_field($l['key']);\n+                $links[] = $lob;\n+            }\n+        }\n+        \n+        $awidgets = '';\n+        if(isset($cache_data['amazonwidget']) && is_array($cache_data['amazonwidget'])) {\n+            $awidgets = array();\n+            foreach($cache_data['amazonwidget'] as $w) {\n+                $wob = new stdClass();\n+                $wob->price = sanitize_text_field($w['price']);\n+                $wob->url   = sanitize_url($w['url']);\t\n+                $wob->image = sanitize_url($w['image']);\t\n+                $wob->title = sanitize_text_field($w['title']);\t\t\t\t\n+                $awidgets[] = $wob;\n+            }\t\t\n+        }\n+        \n+        \n+        $response = new stdClass();\n+        $response->links = $links;\n+        if(is_array($awidgets)) {\n+            $response->amazonwidget = $awidgets;\n+        }\n+        $response->updated = time();\n+        \n+        \n+        $jsonlinks = wp_json_encode($response);\n+        \n+        update_post_meta($postidnr, 'aal_cache_links', $jsonlinks);\n+        echo 'success';\n+        \n+    } else {\n+        echo 'failed';\n+    }\n+    \n+    wp_die();\n }","1. Identify a target WordPress site using Auto Affiliate Links \u003C= 6.8.8.3.\n2. Access the front-end of the site and extract the 'aalcachesetnonce' value, which is localized in the 'aal_amazon_obj' JavaScript object.\n3. Identify a valid 'post_id' on the site.\n4. Send an unauthenticated AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following parameters:\n   - action: aal_cache_set\n   - cachesetnonce: [Extracted Nonce]\n   - aalpostid: [Target Post ID]\n   - aalcachelinks: An array of objects containing 'url' and 'key' properties (e.g., aalcachelinks[0][url]=http:\u002F\u002Fmalicious.com&aalcachelinks[0][key]=target-keyword).\n5. The plugin will execute `update_post_meta`, overwriting the 'aal_cache_links' key for the specified post with the attacker-controlled link data. This data will be served to subsequent visitors of the post.","gemini-3-flash-preview","2026-06-04 21:12:50","2026-06-04 21:13:42",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","6.8.8.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-auto-affiliate-links\u002Ftags\u002F6.8.8.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-auto-affiliate-links.6.8.8.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-auto-affiliate-links\u002Ftags\u002F6.8.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-auto-affiliate-links.6.8.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-auto-affiliate-links\u002Ftags"]