CVE-2026-6169
affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.2EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
27 may 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Referencias
https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/includes/atkp_posttypes_template.php#L735https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/includes/helper/atkp_template_helper.php#L1074https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/lib/bladeone/BladeOne.php#L320https://www.wordfence.com/threat-intel/vulnerabilities/id/b6310a0c-5a96-4dbc-940e-025c9b907c7d?source=cve