CVE-2023-47652: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Lucian Apostol Auto Affiliate Links WordPress plugin, which also allows for Stored XSS attacks. The vulnerability affects all versions of Auto Affiliate Links through version 6.4.2.4. The issue was initially reported on May 24, 2023, and was publicly disclosed on November 7, 2023 (Patchstack).

The vulnerability has been assigned CVE-2023-47652 and received varying CVSS v3.1 scores: NIST rates it as MEDIUM with a base score of 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), while Patchstack rates it as HIGH with a score of 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

This vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication, potentially leading to stored cross-site scripting attacks. The vulnerability requires no authentication to exploit, though it does require user interaction (Patchstack).

The vulnerability has been fixed in version 6.4.2.5 of the Auto Affiliate Links plugin. Users are advised to update to this version or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).