The Thirsty Affiliate Link Manager WordPress plugin has two vulnerabilities that allow a hacker to inject links, according to the United States National Vulnerability Database (NVD). Furthermore, the plugin lacks Cross-Site Request Forgery checking, which can result in the victim’s website being completely compromised.
Link Manager Plugin for ThirstyAffiliates
ThirstyAffiliates Link Manager is a WordPress plugin that provides affiliate link management tools. Affiliate links are constantly changing, and once a link becomes stale, the affiliate no longer earns money from it.
The WordPress affiliate link management plugin solves this problem by allowing affiliate links to be managed from a single area in the WordPress administrator panel, making it simple to change the destination URLs across the entire site by changing one link.
As the content is written, the tool allows you to insert affiliate links.
Read Blogger versus WordPress – Which Will Be The Better Option?
Vulnerabilities in the ThirstyAffiliate Link Manager WordPress Plugin
The National Vulnerability Database (NVD) of the United States described two vulnerabilities that allow any logged-in user, including subscribers, to create affiliate links and upload images with links that can direct users who click on the links to any website.
The NVD describes the vulnerabilities:
CVE-2022-0398
“The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website.”
CVE-2022-0634
“The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link.
Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.”
Forgery of Cross-Site Requests
A Cross-Site Request Forgery attack occurs when a logged-in user executes an arbitrary command on a website via the browser used by the site visitor.
In the absence of CSRF checks, a website cannot distinguish between a browser displaying cookie credentials of a logged-in user and a forged authenticated request (authenticated means logged-in).
Because the entire website is compromised if the logged-in user has administrator-level access, the attack can result in a total site takeover.
It is recommended that you update the ThirstyAffiliates Link Manager Plugin
The ThirstyAffiliates plugin has released a patch to address the two flaws. It might be a good idea to update to the plugin’s most secure version, 3.10.5.
Learn more from WordPress and read WordPress Anti-Malware Firewall Vulnerability Found.
One Comment