{"id":2884,"date":"2022-05-02T15:34:40","date_gmt":"2022-05-02T15:34:40","guid":{"rendered":"https:\/\/seopolarity.com\/blog\/?p=2884"},"modified":"2022-05-04T17:23:46","modified_gmt":"2022-05-04T17:23:46","slug":"vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin","status":"publish","type":"post","link":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/","title":{"rendered":"Vulnerabilities in the ThirstyAffiliates WordPress Plugin"},"content":{"rendered":"\n<p>The Thirsty Affiliate Link Manager <a href=\"https:\/\/seopolarity.com\/blog\/vulnerability-in-the-wordpress-plugin-optinmonster-affects-1-million-sites\/2021\/\">WordPress plugin<\/a> has two vulnerabilities that allow a hacker to inject links, according to the United States National Vulnerability Database (NVD). Furthermore, the plugin lacks Cross-Site Request Forgery checking, which can result in the victim&#8217;s website being completely compromised.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Link Manager Plugin for ThirstyAffiliates<\/h2>\n\n\n\n<p>ThirstyAffiliates Link Manager is a WordPress plugin that provides affiliate link management tools. Affiliate links are constantly changing, and once a link becomes stale, the affiliate no longer earns money from it.<\/p>\n\n\n\n<p>The WordPress affiliate link management plugin solves this problem by allowing affiliate links to be managed from a single area in the WordPress administrator panel, making it simple to change the destination URLs across the entire site by changing one link.<\/p>\n\n\n\n<p>As the content is written, the tool allows you to insert affiliate links.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Read <a href=\"https:\/\/fileproinfo.com\/blog\/blogger-versus-wordpress-which-will-be-the-better-option\/2022\/\"><strong>Blogger versus WordPress \u2013 Which Will Be The Better Option?<\/strong><\/a><\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Vulnerabilities in the ThirstyAffiliate Link Manager WordPress Plugin<\/h2>\n\n\n\n<p>The National Vulnerability Database (NVD) of the United States described two vulnerabilities that allow any logged-in user, including subscribers, to create affiliate links and upload images with links that can direct users who click on the links to any website.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-nvd-describes-the-vulnerabilities\"><strong>The NVD describes the<\/strong>&nbsp;vulnerabilities:<\/h3>\n\n\n\n<p><strong>CVE-2022-0398<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u201cThe ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website.\u201d<\/p><\/blockquote>\n\n\n\n<p><strong>CVE-2022-0634<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u201cThe ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link.<\/p><p>Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.\u201d<\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Forgery of Cross-Site Requests<\/h2>\n\n\n\n<p>A Cross-Site Request Forgery attack occurs when a logged-in user executes an arbitrary command on a website via the browser used by the site visitor.<\/p>\n\n\n\n<p>In the absence of CSRF checks, a website cannot distinguish between a browser displaying cookie credentials of a logged-in user and a forged authenticated request (authenticated means logged-in).<\/p>\n\n\n\n<p>Because the entire website is compromised if the logged-in user has administrator-level access, the attack can result in a total site takeover.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">It is recommended that you update the ThirstyAffiliates Link Manager Plugin<\/h2>\n\n\n\n<p>The ThirstyAffiliates plugin has released a patch to address the two flaws. It might be a good idea to update to the plugin&#8217;s most secure version, 3.10.5.<\/p>\n\n\n\n<p>Learn more from <a href=\"https:\/\/seopolarity.com\/blog\/category\/web-development\/wp\/\">WordPress<\/a> and read <a href=\"https:\/\/seopolarity.com\/blog\/wordpress-anti-malware-firewall-vulnerability-found\/2022\/\">WordPress Anti-Malware Firewall Vulnerability Found<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[74,76],"tags":[],"class_list":["post-2884","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-web-development","category-wp"],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Vulnerabilities in the ThirstyAffiliates WordPress Plugin | SEOPolarity<\/title>\n<meta name=\"description\" content=\"ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vulnerabilities in the ThirstyAffiliates WordPress Plugin\" \/>\n<meta property=\"og:description\" content=\"ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/\" \/>\n<meta property=\"og:site_name\" content=\"SEOPolarity\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-02T15:34:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-05-04T17:23:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/seopolarity.com\/blog\/wp-content\/uploads\/2022\/05\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"675\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"seoadmin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Vulnerabilities in the ThirstyAffiliates WordPress Plugin\" \/>\n<meta name=\"twitter:description\" content=\"ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/seopolarity.com\/blog\/wp-content\/uploads\/2022\/05\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"seoadmin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/\"},\"author\":{\"name\":\"seoadmin\",\"@id\":\"https:\/\/seopolarity.com\/blog\/#\/schema\/person\/95a6a9a6680ce217386574a4984fa538\"},\"headline\":\"Vulnerabilities in the ThirstyAffiliates WordPress Plugin\",\"datePublished\":\"2022-05-02T15:34:40+00:00\",\"dateModified\":\"2022-05-04T17:23:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/\"},\"wordCount\":446,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/seopolarity.com\/blog\/#organization\"},\"articleSection\":[\"Web Development\",\"WordPress\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/\",\"url\":\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/\",\"name\":\"Vulnerabilities in the ThirstyAffiliates WordPress Plugin | SEOPolarity\",\"isPartOf\":{\"@id\":\"https:\/\/seopolarity.com\/blog\/#website\"},\"datePublished\":\"2022-05-02T15:34:40+00:00\",\"dateModified\":\"2022-05-04T17:23:46+00:00\",\"description\":\"ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.\",\"breadcrumb\":{\"@id\":\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/seopolarity.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vulnerabilities in the ThirstyAffiliates WordPress Plugin\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/seopolarity.com\/blog\/#website\",\"url\":\"https:\/\/seopolarity.com\/blog\/\",\"name\":\"SEO Polarity Blog\",\"description\":\"Free Online SEO Tools &amp; Blogs\",\"publisher\":{\"@id\":\"https:\/\/seopolarity.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/seopolarity.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/seopolarity.com\/blog\/#organization\",\"name\":\"SEO Polarity\",\"url\":\"https:\/\/seopolarity.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/seopolarity.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/seopolarity.com\/blog\/wp-content\/uploads\/2021\/10\/seopolarity-logo-header.png\",\"contentUrl\":\"https:\/\/seopolarity.com\/blog\/wp-content\/uploads\/2021\/10\/seopolarity-logo-header.png\",\"width\":193,\"height\":30,\"caption\":\"SEO Polarity\"},\"image\":{\"@id\":\"https:\/\/seopolarity.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/seopolarity.com\/blog\/#\/schema\/person\/95a6a9a6680ce217386574a4984fa538\",\"name\":\"seoadmin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/seopolarity.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/779772115dd1b79d5fbb91a1e2d3acb5318c780d6986d556300e1902f867ee5b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/779772115dd1b79d5fbb91a1e2d3acb5318c780d6986d556300e1902f867ee5b?s=96&d=mm&r=g\",\"caption\":\"seoadmin\"},\"sameAs\":[\"https:\/\/seopolarity.com\/blog\"],\"url\":\"https:\/\/seopolarity.com\/blog\/author\/seoadmin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vulnerabilities in the ThirstyAffiliates WordPress Plugin | SEOPolarity","description":"ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/","og_locale":"en_US","og_type":"article","og_title":"Vulnerabilities in the ThirstyAffiliates WordPress Plugin","og_description":"ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.","og_url":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/","og_site_name":"SEOPolarity","article_published_time":"2022-05-02T15:34:40+00:00","article_modified_time":"2022-05-04T17:23:46+00:00","og_image":[{"width":1200,"height":675,"url":"https:\/\/seopolarity.com\/blog\/wp-content\/uploads\/2022\/05\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin.jpg","type":"image\/jpeg"}],"author":"seoadmin","twitter_card":"summary_large_image","twitter_title":"Vulnerabilities in the ThirstyAffiliates WordPress Plugin","twitter_description":"ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.","twitter_image":"https:\/\/seopolarity.com\/blog\/wp-content\/uploads\/2022\/05\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin.jpg","twitter_misc":{"Written by":"seoadmin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/#article","isPartOf":{"@id":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/"},"author":{"name":"seoadmin","@id":"https:\/\/seopolarity.com\/blog\/#\/schema\/person\/95a6a9a6680ce217386574a4984fa538"},"headline":"Vulnerabilities in the ThirstyAffiliates WordPress Plugin","datePublished":"2022-05-02T15:34:40+00:00","dateModified":"2022-05-04T17:23:46+00:00","mainEntityOfPage":{"@id":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/"},"wordCount":446,"commentCount":1,"publisher":{"@id":"https:\/\/seopolarity.com\/blog\/#organization"},"articleSection":["Web Development","WordPress"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/","url":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/","name":"Vulnerabilities in the ThirstyAffiliates WordPress Plugin | SEOPolarity","isPartOf":{"@id":"https:\/\/seopolarity.com\/blog\/#website"},"datePublished":"2022-05-02T15:34:40+00:00","dateModified":"2022-05-04T17:23:46+00:00","description":"ThirstyAffiliates Affiliate Link Manager has two vulnerabilities. A WordPress plugin can result in complete site takeover and the insertion of arbitrary links.","breadcrumb":{"@id":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/seopolarity.com\/blog\/vulnerabilities-in-the-thirstyaffiliates-wordpress-plugin\/2022\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/seopolarity.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Vulnerabilities in the ThirstyAffiliates WordPress Plugin"}]},{"@type":"WebSite","@id":"https:\/\/seopolarity.com\/blog\/#website","url":"https:\/\/seopolarity.com\/blog\/","name":"SEO Polarity Blog","description":"Free Online SEO Tools &amp; Blogs","publisher":{"@id":"https:\/\/seopolarity.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/seopolarity.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/seopolarity.com\/blog\/#organization","name":"SEO Polarity","url":"https:\/\/seopolarity.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/seopolarity.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/seopolarity.com\/blog\/wp-content\/uploads\/2021\/10\/seopolarity-logo-header.png","contentUrl":"https:\/\/seopolarity.com\/blog\/wp-content\/uploads\/2021\/10\/seopolarity-logo-header.png","width":193,"height":30,"caption":"SEO Polarity"},"image":{"@id":"https:\/\/seopolarity.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/seopolarity.com\/blog\/#\/schema\/person\/95a6a9a6680ce217386574a4984fa538","name":"seoadmin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/seopolarity.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/779772115dd1b79d5fbb91a1e2d3acb5318c780d6986d556300e1902f867ee5b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/779772115dd1b79d5fbb91a1e2d3acb5318c780d6986d556300e1902f867ee5b?s=96&d=mm&r=g","caption":"seoadmin"},"sameAs":["https:\/\/seopolarity.com\/blog"],"url":"https:\/\/seopolarity.com\/blog\/author\/seoadmin\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/posts\/2884","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/comments?post=2884"}],"version-history":[{"count":2,"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/posts\/2884\/revisions"}],"predecessor-version":[{"id":2887,"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/posts\/2884\/revisions\/2887"}],"wp:attachment":[{"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/media?parent=2884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/categories?post=2884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seopolarity.com\/blog\/wp-json\/wp\/v2\/tags?post=2884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}