CVE-2024-12561: 
WordPress vulnerability analysis and mitigation

The Affiliate Sales in Google Analytics and other tools plugin for WordPress contains an Open Redirect vulnerability (CVE-2024-12561) affecting all versions up to and including 1.4.9. The vulnerability was discovered and reported by Wordfence researchers and disclosed on May 20, 2025 (NVD, Wiz).

The vulnerability stems from insufficient validation of the redirect URL supplied via the 'afflink' parameter in the plugin's code. The issue is specifically located in the WecantrackApp.php file where the URL validation is inadequate. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to redirect users to potentially malicious websites if they can successfully trick them into performing specific actions. This could be exploited in phishing campaigns or other social engineering attacks to direct users to malicious websites (Wiz).

Website administrators running the affected plugin should update to a version newer than 1.4.9 when available. Until then, careful monitoring of redirect parameters and implementing additional URL validation at the web application firewall level can help mitigate the risk (Wiz).