Purchase Button For Affiliate Link plugin allows attackers to change settings

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

Purchase Button For Affiliate Link plugin allows attackers to change settings

CVE-2026-1073

Summary

A security flaw in the Purchase Button For Affiliate Link plugin for WordPress makes it possible for attackers to change plugin settings without permission. This could happen if a site administrator clicks on a malicious link. To fix this, update the plugin to version 1.0.3 or later.

Original title

Original description

The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in `inc/purchase-btn-options-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

nvd CVSS3.1 4.3

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026