WordPress Affiliate Toolkit Plugin Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in the affiliate-toolkit plugin for WordPress, affecting all versions up to and including 3.8.5. The issue arises because the plugin utilizes the BladeOne templating engine's runString() method, which compiles user-supplied template content into PHP code and executes it via eval() without proper sanitization or sandboxing. This vulnerability allows authenticated attackers with Editor-level access and above to execute arbitrary code on the server by injecting PHP into a plugin template.

Impact

Exploitation of this vulnerability allows for authenticated users with Editor-level access and above to execute arbitrary code on the server.

Added: May 27, 2026, 8:23 AM

Updated: May 27, 2026, 8:23 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.9

remediation

0.0

relevance

9.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.9

remediation

0.0

relevance

9.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Affiliate Toolkit Plugin Remote Code Execution Vulnerability

Vulnerability

Impact

Affected Products

affiliate-toolkit

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating