Earlier today, an important security flaw was discovered in the AffiliateWP code base that could potentially be exploited by a person with malicious intent.

The flaw was due to several database queries for affiliate, referral, visit, and creative data that were subject to a possible SQL injection.

With version 1.5.7, the flaw has been fixed.

How important is updating to 1.5.7?

We take security very seriously and always encourage users to update to the latest versions as soon as possible. In this particular case, we would recommend you update right away to ensure the flaw is removed.

How could the flaw be exploited?

For security reasons, we cannot provide the exact details for how the flaw could be exploited, but we can provide a basic overview to provide you with an idea of what the problem was.

Due to a couple of parameters not properly sanitized in our admin-only database queries, it was potentially possible for someone to tamper with the queries and perform an SQL injection attack.

Note: it was only possible for this SQL injection to happen when the currently logged-in user had the necessarily capabilities to view and edit affiliate data. Logged out users and low-level users are not affected. This means that an attacker would have to trick a site admin into clicking on a bad link in order for the flaw to be exploited.

The problem was fixed within hours of being discovered and the update was made available immediately after. To ensure your site is 100% secure, please update to version 1.5.7.

If you have any questions or concerns about this update or the security of your site, do not hesitate to contact us.

 

 

Pippin Williamson

About the author: Pippin Williamson is the founder and lead developer of AffiliateWP, Easy Digital Downloads, and Restrict Content Pro. When not writing PHP, he can often be found sipping coffee or brewing beer in his home brewery.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *