Affiliate Links WordPress Plugin PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Affiliate Links: WordPress Plugin for Link Cloaking and Link Management, affecting all versions through 3.0.1. The vulnerability arises from the deserialization of untrusted input during a file export, allowing unauthenticated attackers to inject a PHP object. While the vulnerable plugin itself does not have a known object injection chain, the issue could be exploited if another plugin or theme with a suitable chain is installed, potentially leading to unauthorized file deletion, sensitive data exposure, or arbitrary code execution.

Impact

Exploitation of this vulnerability could allow for PHP Object Injection, with potential consequences depending on the presence of a suitable object injection chain in another installed plugin or theme.

Reproduction

The vulnerability can be reproduced by exporting data from the Affiliate Links WordPress Plugin version 3.0.1 or earlier. This process will trigger the deserialization of untrusted input, allowing for the injection of a PHP object.

Remediation

Users are advised to update the Affiliate Links WordPress Plugin to version 3.1.0 or later.