Stored Cross-Site Scripting Vulnerability in Auto Affiliate Links Plugin for WordPress
CVE-2026-7330

7.2HIGH

Key Information:

Vendor: WordPress
Status: Auto Affiliate Links
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-7330?

The Auto Affiliate Links plugin for WordPress exhibits a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping in its code. Unauthenticated attackers can exploit this weakness through the 'url' POST parameter, allowing them to inject arbitrary scripts that execute in an administrator's browser. This occurs when affected versions of the plugin store vulnerable data without proper encoding, making the admin statistics page a potential target for malicious web scripts. Users are advised to update to the latest version to mitigate this security risk.

Affected Version(s)

Auto Affiliate Links 0 <= 6.8.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-auto-affili...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Alfa Fakhrur Rizal Zaini

CVE-2026-7330 Data

JSON