Platform
wordpress
Component
purchase-button
Fixed in
1.0.3
CVE-2026-1073 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Purchase Button For Affiliate Link plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings, disrupting affiliate link operations. The vulnerability impacts versions 1.0.0 through 1.0.2, and a fix is expected in a future release.
The core impact of CVE-2026-1073 lies in the ability of an attacker to manipulate the plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link, an attacker could alter affiliate links, redirect users to unintended destinations, or even disable the plugin's functionality entirely. This could lead to financial losses for affiliate marketers, damage to website reputation, and a degraded user experience. The attack vector relies on social engineering, making user awareness and cautious link clicking crucial.
CVE-2026-1073 was publicly disclosed on 2026-03-07. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. While active exploitation is not confirmed, the ease of exploitation via social engineering suggests a potential for opportunistic attacks.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1073 is to upgrade to a patched version of the Purchase Button For Affiliate Link plugin once available. Until a patch is released, administrators should exercise extreme caution when clicking links within the WordPress dashboard, especially those originating from untrusted sources. Implementing a Web Application Firewall (WAF) with CSRF protection rules can provide an additional layer of defense. Regularly review plugin settings for any unauthorized changes.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1073 is a Cross-Site Request Forgery (CSRF) vulnerability in the Purchase Button For Affiliate Link WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using the Purchase Button For Affiliate Link plugin in versions 1.0.0 through 1.0.2.
Upgrade to a patched version of the plugin as soon as it becomes available. Until then, exercise caution when clicking links in the WordPress dashboard.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants caution.
Check the plugin author's website or the WordPress plugin directory for updates and advisories related to CVE-2026-1073.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.