ThirstyAffiliates WordPress Plugin Vulnerabilities

The United States National Vulnerability Database (NVD) announced that the Thirsty Affiliate Link Manager WordPress plugin has two vulnerabilities that could allow a hacker to inject links. Additionally the plugin lacks cross-site request forgery checks which can lead to complete compromise of the victim’s website.

Thirsty Partner Link Manager Plugin

Thirsty Affiliate Link Manager WordPress plugin provides affiliate link management tools. Affiliate links are constantly changing and once a link becomes stale, the affiliate will not make money from that link.

The WordPress Affiliate Link Management plugin solves this problem by providing a way to manage affiliate links from a single area in the WordPress admin panel, making it easy to change the destination URL on an entire site by replacing a single link.

The tool gives a way to add affiliate links within the content as the content is written.

Thirsty Affiliate Link Manager WordPress Plugin Vulnerabilities

The United States National Vulnerability Database (NVD) has described two vulnerabilities that allow any logged-in user, including users at the subscriber level, to create affiliate links and upload images with links that are linked to any website. Can direct users to click on the link. ,

Description of nvd Weaknesses:


“The ThirstyAffiliates Affiliate Link Manager WordPress Plugin prior to 3.10.5 does not perform authorization and CSRF checks when creating affiliate links, which may allow any authenticated user, such as a customer, to create arbitrary affiliate links, which can be used by users.” to be redirected to an arbitrary website.”


“Prior to Thirsty Affiliates Affiliate Link Manager WordPress Plugin 3.10.5 the ta_insert_external_image action lacks authorization checks, allowing a low-privilege user (with a reduced role as a subscriber) to add an image from an external URL to an affiliate link allows.

Also the plugin lacks CSRF checks, allowing an attacker to trick a logged in user into taking action by crafting a special request.

Cross-Site Request Forgery

A cross-site request forgery attack is one that causes a logged-in user to execute an arbitrary command on a website through the browser being used by the site visitor.

In a website that lacks CSRF checks, the website cannot tell the difference between a browser displaying the cookie credentials of the logged-in user and a fake authenticated request (authenticated means logged-in).

If the logged-in user has administrator-level access, the attack could lead to total site takeover as the entire website is compromised.

It is recommended to update Thirty Affiliates Link Manager Plugin

ThirstyAffiliates plugin has released a patch for two vulnerabilities. It may be prudent to update to 3.10.5, the most secure version of the plugin.


Read official NVD vulnerability warnings

CVE-2022-0634 Description

CVE-2022-0398 Description

Read WP Scan Vulnerability Description and Review Proof of Concepts

Thirsty Affiliate Link Manager < 3.10.5 - Subscriber+ Arbitrary Affiliate Link Creation

Thirsty Colleagues < 3.10.5 - Subscribers + Unauthorized Image Upload + CSRF

Source link

Leave a Comment