CVE-2026-7330: WordPress Auto Affiliate Links Plugin Stored XSS

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
CVE-2026-7330: WordPress Auto Affiliate Links Plugin Stored XSS

The National Vulnerability Database has identified CVE-2026-7330, a high-severity (CVSS 7.2) Stored Cross-Site Scripting (XSS) vulnerability in the Auto Affiliate Links plugin for WordPress, affecting versions up to and including 6.8.8. This flaw stems from inadequate input sanitization on the ‘url’ POST parameter within the aal_url_stats_save_action() function and a complete lack of output escaping in aal_display_clicks().

This critical oversight allows unauthenticated attackers to inject arbitrary web scripts into the admin statistics page. The exploit leverages a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook. When an administrator visits the compromised page, the malicious script executes in their browser, potentially leading to session hijacking, data theft, or further compromise of the WordPress site.

Attackers’ calculus here is simple: target the widely used WordPress ecosystem, exploit a common vulnerability class (XSS), and gain unauthenticated access to execute code in an admin context. This is a low-effort, high-impact attack vector against a popular plugin.

What This Means For You

  • If your organization uses the Auto Affiliate Links plugin for WordPress, immediately check your version. Any installation up to and including 6.8.8 is vulnerable. Patch or disable this plugin without delay. Audit your WordPress admin logs for any suspicious activity, especially around the statistics pages, as unauthenticated attackers can weaponize this to compromise your administrative interfaces.

Indicators of Compromise

IDTypeIndicator
CVE-2026-7330 XSS Auto Affiliate Links plugin for WordPress versions <= 6.8.8
CVE-2026-7330 XSS Insufficient input sanitization on 'url' POST parameter in aal_url_stats_save_action() function
CVE-2026-7330 XSS Absence of output escaping in aal_display_clicks() function
CVE-2026-7330 XSS Vulnerable AJAX endpoint registered via wp_ajax_nopriv_ hook

Written by SCW Vulnerability Desk

🔎
Identify WordPress Plugin Vulnerabilities Use /brief to get an analyst-ready weekly threat summary that includes critical vulnerabilities like this.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 12:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma