Introducing RewardsWP: Drive More Sales with a Refer-a-Friend Program

AffiliateWP users asked for an easy way to let customers refer friends. So we built RewardsWP — a referral marketing plugin that works seamlessly on its own or alongside AffiliateWP.

Continue Reading →

Security update released

Last updated on by Pippin Williamson
LinkedIn

Earlier today, an important security flaw was discovered in the AffiliateWP code base that could potentially be exploited by a person with malicious intent.

The flaw was due to several database queries for affiliate, referral, visit, and creative data that were subject to a possible SQL injection.

With version 1.5.7, the flaw has been fixed.

How important is updating to 1.5.7?

We take security very seriously and always encourage users to update to the latest versions as soon as possible. In this particular case, we would recommend you update right away to ensure the flaw is removed.

How could the flaw be exploited?

For security reasons, we cannot provide the exact details for how the flaw could be exploited, but we can provide a basic overview to provide you with an idea of what the problem was.

Due to a couple of parameters not properly sanitized in our admin-only database queries, it was potentially possible for someone to tamper with the queries and perform an SQL injection attack.

Note: it was only possible for this SQL injection to happen when the currently logged-in user had the necessarily capabilities to view and edit affiliate data. Logged out users and low-level users are not affected. This means that an attacker would have to trick a site admin into clicking on a bad link in order for the flaw to be exploited.

The problem was fixed within hours of being discovered and the update was made available immediately after. To ensure your site is 100% secure, please update to version 1.5.7.

If you have any questions or concerns about this update or the security of your site, do not hesitate to contact us.

 

 

Published by
Pippin Williamson is the founder and CEO of Sandhills Development.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

1 comment on “Security update released

  1. Pingback: esc_sql Doh! WordPress SQL Injection Vulnerability - Pritect Network