A high-severity SQL Injection vulnerability has been identified in the AffiliateWP plugin for WordPress. This flaw allows an attacker to manipulate the website's database, potentially leading to the theft of sensitive information, unauthorized access, and full site compromise. Immediate patching is required to mitigate the risk of data breaches and reputational damage.

The AffiliateWP plugin is vulnerable to SQL Injection. The ajax_get_affiliate_id_from_login function does not properly sanitize user-supplied input before using it in a database query. An unauthenticated attacker can craft a malicious request to this AJAX function, injecting arbitrary SQL commands to read, modify, or delete data from the WordPress database.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to significant business consequences, including the exfiltration of sensitive data such as customer information, affiliate payment details, and user credentials. An attacker could also potentially escalate privileges to gain administrative control over the website, leading to defacement, malware distribution, or a complete loss of service. These outcomes pose a direct risk of financial loss, reputational damage, and potential regulatory penalties for data breaches.

Immediate Action: Immediately update the AffiliateWP plugin to the latest version available from the vendor, which will be a version greater than 2.0. If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests targeting the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) that call the ajax_get_affiliate_id_from_login action. Look for common SQL injection payloads (e.g., single quotes, UNION SELECT, SLEEP()) within the request parameters. Additionally, enable and review database query logs for unusual or malformed queries.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block SQL injection attempts. Ensure the database user for the WordPress application operates with the principle of least privilege, restricting its ability to access or modify critical system tables or files.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this SQL Injection vulnerability and the widespread use of the AffiliateWP plugin, we strongly recommend that organizations take immediate action. All instances of the affected plugin should be updated to the latest patched version without delay. Although this CVE is not currently listed on the CISA KEV list, its potential for data exfiltration and site compromise makes it a critical priority for remediation.