VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Sep 18, 2024

Auto Affiliate Links Vulnerabilities

Review known vulnerability records for the WordPress plugin Auto Affiliate Links (`wp-auto-affiliate-links`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-9838, CVE-2024-34386 and CVE-2024-1843, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
2
Patch Coverage
100%
Last Updated
May 29, 2025
Priority CVE Quick Links

Fast paths into Auto Affiliate Links CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
7
CVE-2024-34386 Critical 6.4.4
CVE-2024-34386 Auto Affiliate Links SQL Injection

Auto Affiliate Links <= 6.4.3.1 - Authenticated (Editor+) SQL Injection

CVE-2023-47652 Medium 6.4.2.5
CVE-2023-47652 Auto Affiliate Links Stored Cross-Site Scripting

Auto Affiliate Links <= 6.4.2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

CVE-2022-45840 Medium 6.2.1.6
CVE-2022-45840 Auto Affiliate Links Vulnerability

Auto Affiliate Links <= 6.2.1.5 - Authenticated (Subscriber+) Plugin Settings Change

CVE-2024-9838 Medium 6.4.7
CVE-2024-9838 Auto Affiliate Links SQL Injection

Auto Affiliate Links <= 6.4.6 - Authenticated (Admin+) SQL Injection

CVE-2024-1843 Medium 6.4.3.1
CVE-2024-1843 Auto Affiliate Links Vulnerability

Auto Affiliate Links <= 6.4.3 - Missing Authorization via aalAddLink

CVE-2023-25973 Medium 6.3.0.3
CVE-2023-25973 Auto Affiliate Links Cross-Site Request Forgery

Auto Affiliate Links <= 6.3.0.2 - Cross-Site Request Forgery via aalChangeOptions function

CVE-2023-22689 Medium 6.3.0.1
CVE-2023-22689 Auto Affiliate Links Cross-Site Request Forgery

Auto Affiliate Links <= 6.3 - Cross-Site Request Forgery via aalDeleteLink function

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Auto Affiliate Links so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
10 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 0 high severity findings.
Recent CVEs
CVE-2024-9838, CVE-2024-34386 and CVE-2024-1843
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Auto Affiliate Links

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-9838
CVE-2024-9838: Auto Affiliate Links <= 6.4.6 - Authenticated (Admin+) SQL Injection

The Auto Affiliate Links plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authentica...

Published
Sep 18, 2024
Patched Release
6.4.7
Affected Versions
Versions up to 6.4.6
Next Step
Update to 6.4.7 or newer if supported.
Open CVE-2024-9838 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-34386
CVE-2024-34386: Auto Affiliate Links <= 6.4.3.1 - Authenticated (Editor+) SQL Injection

The Auto Affiliate Links plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.4.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenti...

Published
May 06, 2024
Patched Release
6.4.4
Affected Versions
Versions up to 6.4.3.1
Next Step
Update to 6.4.4 or newer if supported.
Open CVE-2024-34386 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-1843
CVE-2024-1843: Auto Affiliate Links <= 6.4.3 - Missing Authorization via aalAddLink

The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or...

Published
Mar 11, 2024
Patched Release
6.4.3.1
Affected Versions
Versions up to 6.4.3
Next Step
Update to 6.4.3.1 or newer if supported.
Open CVE-2024-1843 Report Open CVE Reference
Plugin Medium Patched: Yes
Auto Affiliate Links <= 6.4.2.7 - Cross-Site Request Forgery

The Auto Affiliate Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.2.7. This is due to missing or incorrect nonce validation on the wpaal_stats() function. This makes it possible for unauthenticated attackers to res...

Published
Jan 09, 2024
Patched Release
6.4.2.8
Affected Versions
Versions up to 6.4.2.7
Next Step
Update to 6.4.2.8 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
Auto Affiliate Links <= 6.4.2.5 - Cross-Site Request Forgery

The Auto Affiliate Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.4.2.5. This is due to missing or incorrect nonce validation on several functions such as aal_exclude_terms_actions and aal_exclude_words_actions. This mak...

Published
Nov 20, 2023
Patched Release
6.4.2.6
Affected Versions
Versions up to 6.4.2.5
Next Step
Update to 6.4.2.6 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes CVE-2023-47652
CVE-2023-47652: Auto Affiliate Links <= 6.4.2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Auto Affiliate Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.4.2.4. This is due to missing or incorrect nonce validation on several functions such as aalUpdateExcludePosts(). This makes it possible for unauthenticat...

Published
Nov 07, 2023
Patched Release
6.4.2.5
Affected Versions
Versions up to 6.4.2.4
Next Step
Update to 6.4.2.5 or newer if supported.
Open CVE-2023-47652 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-25973
CVE-2023-25973: Auto Affiliate Links <= 6.3.0.2 - Cross-Site Request Forgery via aalChangeOptions function

The Auto Affiliate Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.0.2. This is due to missing or incorrect nonce validation on the 'aalChangeOptions' function. This makes it possible for unauthenticated attackers to mo...

Published
Feb 22, 2023
Patched Release
6.3.0.3
Affected Versions
Versions up to 6.3.0.2
Next Step
Update to 6.3.0.3 or newer if supported.
Open CVE-2023-25973 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-45840
CVE-2022-45840: Auto Affiliate Links <= 6.2.1.5 - Authenticated (Subscriber+) Plugin Settings Change

The Auto Affiliate Links plugin for WordPress is vulnerable to improper access control via multiple AJAX actions in versions up to, and including, 6.2.1.5. This allows authenticated attackers with subscriber-level permissions or above to modify plugin settings such as adding excl...

Published
Feb 06, 2023
Patched Release
6.2.1.6
Affected Versions
Versions up to 6.2.1.5
Next Step
Update to 6.2.1.6 or newer if supported.
Open CVE-2022-45840 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-22689
CVE-2023-22689: Auto Affiliate Links <= 6.3 - Cross-Site Request Forgery via aalDeleteLink function

The Auto Affiliate Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.0.1. This is due to missing or incorrect nonce validation on the aalDeleteLink() function. This makes it possible for unauthenticated attackers to delet...

Published
Feb 02, 2023
Patched Release
6.3.0.1
Affected Versions
Versions up to 6.3
Next Step
Update to 6.3.0.1 or newer if supported.
Open CVE-2023-22689 Report Open CVE Reference
Plugin Critical Patched: Yes
Auto Affiliate Links < 5.0 - SQL Injection

The Auto Affiliate Links plugin for WordPress is vulnerable to multiple SQL Injections via the 'aal_massstring' and 'aalorder' parameters in versions before 5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

Published
Jul 15, 2015
Patched Release
5.0
Affected Versions
Versions before 5.0
Next Step
Update to 5.0 or newer if supported.
Open Full Report