Plateforme
wordpress
Composant
purchase-button
Corrigé dans
1.0.3
CVE-2026-1073 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Purchase Button For Affiliate Link plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings, disrupting affiliate link operations. The vulnerability impacts versions 1.0.0 through 1.0.2, and a fix is expected in a future release.
The core impact of CVE-2026-1073 lies in the ability of an attacker to manipulate the plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link, an attacker could alter affiliate links, redirect users to unintended destinations, or even disable the plugin's functionality entirely. This could lead to financial losses for affiliate marketers, damage to website reputation, and a degraded user experience. The attack vector relies on social engineering, making user awareness and cautious link clicking crucial.
CVE-2026-1073 was publicly disclosed on 2026-03-07. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. While active exploitation is not confirmed, the ease of exploitation via social engineering suggests a potential for opportunistic attacks.
Websites utilizing the Purchase Button For Affiliate Link plugin, particularly those with administrative access granted to multiple users or those lacking robust security awareness training, are at increased risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable.
• wordpress / composer / npm:
grep -r 'inc/purchase-btn-options-page.php' ./• wordpress / composer / npm:
wp plugin list --status=active | grep 'Purchase Button For Affiliate Link'• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updated versions of 'Purchase Button For Affiliate Link'.
disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 2%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-1073 is to upgrade to a patched version of the Purchase Button For Affiliate Link plugin once available. Until a patch is released, administrators should exercise extreme caution when clicking links within the WordPress dashboard, especially those originating from untrusted sources. Implementing a Web Application Firewall (WAF) with CSRF protection rules can provide an additional layer of defense. Regularly review plugin settings for any unauthorized changes.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-1073 is a Cross-Site Request Forgery (CSRF) vulnerability in the Purchase Button For Affiliate Link WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using the Purchase Button For Affiliate Link plugin in versions 1.0.0 through 1.0.2.
Upgrade to a patched version of the plugin as soon as it becomes available. Until then, exercise caution when clicking links in the WordPress dashboard.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants caution.
Check the plugin author's website or the WordPress plugin directory for updates and advisories related to CVE-2026-1073.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.