Djumanto

**Name of the Vulnerable Software and Affected Versions** Auto Affiliate Links versions prior to 6.8.9 **Description** The plugin is subject to Stored Cross-Site Scripting due to insufficient input sanitization of the `url` POST parameter within the `aal url stats save action()` function and a lack of output escaping in `aal display clicks()`. The stored value is echoed directly into an anchor element's href attribute and inner text without proper sanitization functions. This allows unauthenticated attackers to inject arbitrary web scripts into the admin statistics page via an unauthenticated AJAX endpoint registered with the `wp ajax nopriv ` hook and a publicly exposed nonce. These scripts execute in the browser of an administrator when they visit the affected page. **Recommendations** Update the plugin to a version later than 6.8.8. As a temporary workaround, restrict access to the admin statistics page or the `aal url stats save action()` function until the update is applied.