Skip to main content

Auto Affiliate Links CVE-2026-24592

| EUVD-2026-31748 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-64j4-wv48-vxg4
Authentication Bypass Auto Affiliate Links
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:53 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Auto Affiliate Links: from n/a through 6.8.8.3.

AnalysisAI

Missing authorization in the Auto Affiliate Links WordPress plugin (all versions through 6.8.8.3) allows unauthenticated remote attackers to bypass access control checks and perform unauthorized write operations against affiliate link configurations. The vulnerability is classified as broken access control (CWE-862) and was reported by Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate WordPress plugins via public paths
Delivery
Confirm Auto Affiliate Links ≤6.8.8.3 is active
Exploit
Craft unauthenticated POST to wp-ajax endpoint
Execution
Bypass missing authorization check
Impact
Overwrite affiliate link configuration
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The Auto Affiliate Links plugin (any version through 6.8.8.3) must be installed and active on a WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.3 (Medium) is consistent with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - network-reachable, zero complexity, no authentication, no user interaction required, but limited to a partial integrity impact with no confidentiality or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a publicly accessible WordPress site running Auto Affiliate Links through version 6.8.8.3 via passive recon (e.g., WPScan, HTTP response headers, or /wp-content/plugins/ enumeration). The attacker sends a crafted HTTP POST request directly to wp-admin/admin-ajax.php with the vulnerable plugin action, bypassing all authorization checks and modifying affiliate link settings - potentially redirecting legitimate affiliate revenue to attacker-controlled accounts. …
Remediation Update the Auto Affiliate Links plugin to a version beyond 6.8.8.3 if a patched release has been published to the WordPress plugin repository; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-auto-affiliate-links/vulnerability/wordpress-auto-affiliate-links-plugin-6-8-8-3-broken-access-control-vulnerability for the confirmed fixed version, as no specific patch version was present in the data available at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24592 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy