Plataforma
wordpress
Componente
purchase-button
Corregido en
1.0.3
CVE-2026-1073 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Purchase Button For Affiliate Link plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings, disrupting affiliate link operations. The vulnerability impacts versions 1.0.0 through 1.0.2, and a fix is expected in a future release.
The core impact of CVE-2026-1073 lies in the ability of an attacker to manipulate the plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link, an attacker could alter affiliate links, redirect users to unintended destinations, or even disable the plugin's functionality entirely. This could lead to financial losses for affiliate marketers, damage to website reputation, and a degraded user experience. The attack vector relies on social engineering, making user awareness and cautious link clicking crucial.
CVE-2026-1073 was publicly disclosed on 2026-03-07. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. While active exploitation is not confirmed, the ease of exploitation via social engineering suggests a potential for opportunistic attacks.
Websites utilizing the Purchase Button For Affiliate Link plugin, particularly those with administrative access granted to multiple users or those lacking robust security awareness training, are at increased risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable.
• wordpress / composer / npm:
grep -r 'inc/purchase-btn-options-page.php' ./• wordpress / composer / npm:
wp plugin list --status=active | grep 'Purchase Button For Affiliate Link'• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updated versions of 'Purchase Button For Affiliate Link'.
disclosure
Estado del Exploit
EPSS
0.01% (2% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-1073 is to upgrade to a patched version of the Purchase Button For Affiliate Link plugin once available. Until a patch is released, administrators should exercise extreme caution when clicking links within the WordPress dashboard, especially those originating from untrusted sources. Implementing a Web Application Firewall (WAF) with CSRF protection rules can provide an additional layer of defense. Regularly review plugin settings for any unauthorized changes.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-1073 is a Cross-Site Request Forgery (CSRF) vulnerability in the Purchase Button For Affiliate Link WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using the Purchase Button For Affiliate Link plugin in versions 1.0.0 through 1.0.2.
Upgrade to a patched version of the plugin as soon as it becomes available. Until then, exercise caution when clicking links in the WordPress dashboard.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants caution.
Check the plugin author's website or the WordPress plugin directory for updates and advisories related to CVE-2026-1073.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.