The United States National Vulnerability Database (NVD) announced that the Thirsty Affiliate Link Manager WordPress plugin has two vulnerabilities that can allow a hacker to inject links. Additionally the plugin lacks Cross-Site Request Forgery checking which can lead to a complete compromise of the victim’s website.
ThirstyAffiliates Link Manager Plugin
The ThirstyAffiliates Link Manager WordPress plugin offers affiliate link management tools. Affiliate links are constantly changing and once a link goes stale the affiliate will no longer earn money from that link.
The WordPress affiliate link management plugin solves this problem by providing a way to manage affiliate links from a single area in the WordPress administrator panel, which makes it easy to change the destination URLs across the entire site by changing one link.
The tool allows a way to add affiliate links within the content as the content is written.
ThirstyAffiliate Link Manager WordPress Plugin Vulnerabilities
The United States National Vulnerability Database (NVD) described two vulnerabilities that allow any logged-in user, including users at the subscriber level, to create affiliate links and also to upload images with links that can direct users who click on the links to any website.
The NVD describes the vulnerabilities:
“The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website.”
“The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link.
Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.”
Cross-Site Request Forgery
A Cross-Site Request Forgery attack is one that causes a logged-in user to execute an arbitrary command on a website through the browser that the site visitor is using.
In a website that’s lacking CSRF checks, the website cannot tell the difference between a browser displaying cookie credentials of a logged-in user and a forged authenticated request (authenticated means logged-in).
If the logged-in user has administrator-level access then the attack can lead to a total site takeover because the entire website is compromised.
Open Web Application Security Project® (OWASP), a non-profit organization with tens of thousands of members that is a resource for improving software security, offers a definition of CSRF that states that if the attack is launched against a user with administrative privileges then that the entire web application can be compromised.
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
…If the victim is an administrative account, CSRF can compromise the entire web application.“
OWASP further states how an administrator level account can be compromised through a CSRF attack:
“For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.”
Updating ThirstyAffiliates link Manager Plugin is Recommended
The ThirstyAffiliates plugin has issued a patch for the two vulnerabilities. It may be prudent to update to the safest version of the plugin, 3.10.5.