CVE-2024-13556: 
WordPress vulnerability analysis and mitigation

The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2024-13556) affecting all versions up to and including 3.0.1. The vulnerability was discovered and disclosed in February 2025 (NVD).

The vulnerability stems from the insecure deserialization of untrusted input from a file export feature. This security flaw has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) (NVD).

While the vulnerability allows unauthenticated attackers to inject PHP Objects, its actual impact depends on the presence of a POP (Property-Oriented Programming) chain in additional plugins or themes installed on the target system. If such a chain exists, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute malicious code (NVD).

Users should upgrade to version 3.1.0 or later of the Affiliate Links plugin to address this vulnerability (WordPress Patch).