CVE-2022-0634

Name of the Vulnerable Software and Affected Versions ThirstyAffiliates WordPress plugin versions prior to 3.10.5

Description The issue lacks authorization checks in the ta insert external image action, allowing a low-privilege user to add an image from an external URL to an affiliate link. Additionally, it lacks csrf checks, enabling an attacker to trick a logged-in user into performing the action by crafting a special request.

Recommendations For versions prior to 3.10.5, update to version 3.10.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the ta insert external image action to prevent unauthorized use.