ThirstyAffiliates WordPress Plugin Vulnerabilities
The US National Vulnerability Database (NVD) has announced that the Thirsty Affiliate Link Manager WordPress plugin has two vulnerabilities that can allow an attacker to inject links. Additionally, the plugin lacks Cross-Site Request Forgery verification, which can lead to complete compromise of the victim’s website.
ThirstyAffiliates Link Manager Plugin
The ThirstyAffiliates Link Manager WordPress plugin offers affiliate link management tools. Affiliate links are constantly changing and once a link becomes obsolete, the affiliate will no longer earn money from that link.
The WordPress Affiliate Link Manager Plugin solves this problem by providing a way to manage affiliate links from a single area in the WordPress admin panel, making it easy to edit destination URLs on the entire site by modifying a link.
The tool allows adding affiliate links in the content as the content is written.
ThirstyAffiliate Link Manager WordPress Plugin Vulnerabilities
The US National Vulnerability Database (NVD) has described two vulnerabilities that allow any logged-in user, including subscriber-level users, to create affiliate links and also upload images with links that may direct users who click the links to any website. .
The NVD describes the vulnerabilities:
“WordPress ThirstyAffiliates Affiliate Link Manager plugin prior to 3.10.5 does not have CSRF authorization and checks when creating affiliate links, which could allow any authenticated user, such as a subscriber, to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website.
“The ThirstyAffiliates Affiliate Link Manager WordPress plugin prior to 3.10.5 lacks permission checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from a URL external to an affiliate link.
Additionally, the plugin lacks csrf checks, allowing an attacker to trick a logged-in user into performing the action by creating a special request.
Cross-site request forgery
A Cross-Site Request Forgery attack is an attack that tricks a logged-in user into executing an arbitrary command on a website through the browser the site visitor is using.
In a website that lacks CSRF controls, the website cannot tell the difference between a browser displaying the cookie credentials of a logged in user and a forged authenticated request (authenticated means logged in).
If the logged-in user has administrator-level access, the attack may result in a full site takeover because the entire website is compromised.
ThirstyAffiliates link Manager plugin update is recommended
The ThirstyAffiliates plugin has released a fix for both vulnerabilities. It may be safe to update to the most secure version of the plugin, 3.10.5.