Plataforma
wordpress
Componente
purchase-button
Corrigido em
1.0.3
CVE-2026-1073 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Purchase Button For Affiliate Link plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings, disrupting affiliate link operations. The vulnerability impacts versions 1.0.0 through 1.0.2, and a fix is expected in a future release.
The core impact of CVE-2026-1073 lies in the ability of an attacker to manipulate the plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link, an attacker could alter affiliate links, redirect users to unintended destinations, or even disable the plugin's functionality entirely. This could lead to financial losses for affiliate marketers, damage to website reputation, and a degraded user experience. The attack vector relies on social engineering, making user awareness and cautious link clicking crucial.
CVE-2026-1073 was publicly disclosed on 2026-03-07. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. While active exploitation is not confirmed, the ease of exploitation via social engineering suggests a potential for opportunistic attacks.
Websites utilizing the Purchase Button For Affiliate Link plugin, particularly those with administrative access granted to multiple users or those lacking robust security awareness training, are at increased risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable.
• wordpress / composer / npm:
grep -r 'inc/purchase-btn-options-page.php' ./• wordpress / composer / npm:
wp plugin list --status=active | grep 'Purchase Button For Affiliate Link'• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updated versions of 'Purchase Button For Affiliate Link'.
disclosure
Status do Exploit
EPSS
0.01% (percentil 2%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-1073 is to upgrade to a patched version of the Purchase Button For Affiliate Link plugin once available. Until a patch is released, administrators should exercise extreme caution when clicking links within the WordPress dashboard, especially those originating from untrusted sources. Implementing a Web Application Firewall (WAF) with CSRF protection rules can provide an additional layer of defense. Regularly review plugin settings for any unauthorized changes.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e empregue mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-1073 is a Cross-Site Request Forgery (CSRF) vulnerability in the Purchase Button For Affiliate Link WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using the Purchase Button For Affiliate Link plugin in versions 1.0.0 through 1.0.2.
Upgrade to a patched version of the plugin as soon as it becomes available. Until then, exercise caution when clicking links in the WordPress dashboard.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants caution.
Check the plugin author's website or the WordPress plugin directory for updates and advisories related to CVE-2026-1073.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.