HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-7330 — The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site...

·Source: NIST NVD

Updated:

Executive Summary

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute a

Analysis

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook. CVSS Score: 7.2. Published: 2026-05-08T09:16:10.100.

Indicators of Compromise (1)

CVE (1)
CVE-2026-7330
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 8, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Fragnesia Local Privilege Escalation report via ESP-in-TCP in the Linux Kernel

<p><b>Bulletin ID:</b> 2026-029-AWS<br> <b>Scope:</b> AWS<br> <b>Content Type:</b> Important (requires attention)<br> <b>Publication Date:</b> 05/13/2026 18:45 PM PDT</p> <p><b>This is an ongoing issue. Information is subject to change. Please refer to our Security Bulletin (ID: 2026-030-AWS) for the most updated patching information.</b></p> <p><b>Description:</b></p> <p>Amazon is aware of CVE-20

CVE-2026-46300CVE-2026-43284
AWS Security Bulletins
LOWVulnerability

Ongoing updates on Copy.fail and variants

<p><b>Bulletin ID:</b> 2026-030-AWS<br> <b>Scope:</b> AWS<br> <b>Content Type:</b> Important (requires attention)<br> <b>Publication Date:</b> 05/13/2026 10:00 PM PDT</p> <p><b>This is an ongoing issue. This bulletin will be updated as more information becomes available.</b></p> <p><b>Description:</b></p> <p>AWS is aware of the copy.fail or DirtyFrag class of issues - a set of privilege escalation

AWS Security Bulletins
MEDIUMVulnerability

Bunq applies for Mexican banking license

Bunq, the European neobank for "global citizens", has applied for a Mexican banking license.

Finextra