Auto Affiliate Links WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Auto Affiliate Links plugin for WordPress, affecting versions through 6.8.8. The issue arises from inadequate input sanitization of the 'url' POST parameter in the 'aal_url_stats_save_action()' function. Additionally, there is a complete lack of output escaping in 'aal_display_clicks()', where the stored value is directly echoed into an anchor element's href attribute and inner text without using the appropriate WordPress escaping functions. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into the admin statistics page, which are executed in the browser of an administrator visiting the page. The exploitation leverages a publicly exposed nonce and an unauthenticated AJAX endpoint registered with the 'wp_ajax_nopriv_' hook.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, send a POST request to the 'aal_stats_save' AJAX endpoint with a 'url' parameter containing the injected script. The 'aal_statsreset' parameter should be set to 'yes' to trigger the 'aal_url_stats_save_action()' function, which processes the input and saves it to the database. Once the payload is saved, the 'aal_display_clicks()' function will execute the injected script when the admin statistics page is visited.

Remediation

Users are advised to update the Auto Affiliate Links plugin to version 6.8.8.1 or a newer patched version.