The United States National Vulnerability Database (NVD) announced that the Thirsty Affiliate Link Manager WordPress plugin has two vulnerabilities that can allow a hacker to inject links. Additionally the plugin lacks Cross-Site Request Forgery checking which can lead to a complete compromise of the victim’s website.

ThirstyAffiliates Link Manager Plugin

The ThirstyAffiliates Link Manager WordPress plugin offers affiliate link management tools. Affiliate links are constantly changing and once a link goes stale the affiliate will no longer earn money from that link.

The WordPress affiliate link management plugin solves this problem by providing a way to manage affiliate links from a single area in the WordPress administrator panel, which makes it easy to change the destination URLs across the entire site by changing one link.

The tool allows a way to add affiliate links within the content as the content is written.

ThirstyAffiliate Link Manager WordPress Plugin Vulnerabilities

The United States National Vulnerability Database (NVD) described two vulnerabilities that allow any logged-in user, including users at the subscriber level, to create affiliate links and also to upload images with links that can direct users who click on the links to any website.

The NVD describes the vulnerabilities:

CVE-2022-0398

“The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website.”

CVE-2022-0634

“The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link.

Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.”

Cross-Site Request Forgery

A Cross-Site Request Forgery attack is one that causes a logged-in user to execute an arbitrary command on a website through the browser that the site visitor is using.

In a website that’s lacking CSRF checks, the website cannot tell the difference between a browser displaying cookie credentials of a logged-in user and a forged authenticated request (authenticated means logged-in).

If the logged-in user has administrator-level access then the attack can lead to a total site takeover because the entire website is compromised.

Updating ThirstyAffiliates link Manager Plugin is Recommended

The ThirstyAffiliates plugin has issued a patch for the two vulnerabilities. It may be prudent to update to the safest version of the plugin, 3.10.5.

Citations

Read the Official NVD Vulnerability Warnings

CVE-2022-0634 Detail

CVE-2022-0398 Detail

Read the WP Scan Vulnerability Details and Review the Proof of Concepts

ThirstyAffiliates Affiliate Link Manager < 3.10.5 – Subscriber+ Arbitrary Affiliate Links Creation

ThirstyAffiliates < 3.10.5 – Subscriber+ unauthorized image upload + CSRF