The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
The Auto Affiliate Links WordPress plugin versions up to 6.8.8 contain a Stored Cross-Site Scripting vulnerability in the statistics page due to insufficient input sanitization and missing output escaping. Unauthenticated attackers can inject malicious scripts that execute in administrators' browsers through a publicly exposed AJAX endpoint.
ثغرة Stored XSS في إضافة Auto Affiliate Links لـ WordPress تسمح للمهاجمين غير المصرح لهم بحقن نصوص برمجية ضارة عبر معامل URL في دالة aal_url_stats_save_action(). يتم تنفيذ البرامج النصية المحقونة في متصفح المسؤول عند زيارة صفحة الإحصائيات دون الحاجة إلى مصادقة.
The Auto Affiliate Links WordPress plugin versions up to 6.8.8 contain a Stored Cross-Site Scripting vulnerability in the statistics page due to insufficient input sanitization and missing output escaping. Unauthenticated attackers can inject malicious scripts that execute in administrators' browsers through a publicly exposed AJAX endpoint.
Update the Auto Affiliate Links plugin to version 6.8.9 or later immediately. Implement input validation and sanitization using sanitize_text_field() or sanitize_url() for the url parameter. Apply proper output escaping using esc_url(), esc_attr(), and esc_html() functions when displaying stored values. Consider implementing additional nonce validation and restricting AJAX endpoints to authenticated users only.
قم بتحديث إضافة Auto Affiliate Links إلى الإصدار 6.8.9 أو أحدث فوراً. قم بتطبيق التحقق من صحة المدخلات والتطهير باستخدام دوال sanitize_text_field() أو sanitize_url(). طبق الهروب الصحيح للمخرجات باستخدام دوال esc_url() و esc_attr() و esc_html(). فكر في تطبيق التحقق الإضافي من nonce وتقييد نقاط نهاية AJAX للمستخدمين المصرح لهم فقط.