Headline
CVE-2022-3898: WP Affiliate Plugin - Affiliate Program Management Plugin
The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for unauthenticated attackers to delete affiliate records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
It is a known fact that having an affiliate program is the most powerful way to market your products or services online (Read more on the benefits of affiliate program).
If you own a WordPress blog/site and your answer to the following questions are ‘yes’ then the ‘WordPress Affiliate Platform’ is what you need:
- Do you sell products or services online from your WordPress blog/site?
- Do you want to increase your sales and explode your profits by using an affiliate program?
- Do you want to have your own affiliate program so you can cut the middle man and build your own brand?
WordPress Affiliate Plugin Summary
The WordPress Affiliate Platform is an easy to use WordPress plugin for affiliate recruitment, management and tracking that can be used on any WordPress blog or site. This plugin lets you run your own affiliate campaign/program and allows you to reward (pay commission) your affiliates for referring sales.
The admin can configure banners, links and creatives which the affiliates can use on their site to drive traffic to your site. All the clicks, leads, sales etc are tracked by this plugin.
WP Affiliate plugin turns WordPress into the best affiliate campaign management platform
If you are running online ad campaigns for your products and services then you can use the affiliate platform plugin to measure the true conversion rate of each campaign to find out the profitable ones. This allows you to weed out the non-profitable campaigns and save money in the process.
In a nutshell, the Affiliate Platform Plugin will help you achieve the following:
- Launch your affiliate campaign in a short time.
- Monitor clicks and conversions of visitors sent by your affiliates.
- Maintain your brand with your own product Ad Banners, Links and Creatives.
- Drive more traffic to your landing/sales page from your Affiliate’s site.
- Significantly BOOST revenue with more sales.
We use this plugin to run our affiliate program and it has had a positive effect on our product sales.
How WP Affiliate Plugin Works
Affiliate marketing is a type of performance-based marketing where you (the store owner) reward affiliates for sending customers to your site. The following page explains how it all works:
- How the WordPress Affiliate Platform Works
WP Affiliate Plugin Features
Some key features of the WordPress Affiliate Platform include:
Easy Installation
Easy installation like any other WordPress plugin and very easy to use. Seamlessly integrates with your website’s look and feel.
Real Time Reporting
Real time reporting. All data (clicks, sales, commissions) are tracked, computed and displayed realtime with no delay.
Accurate Commission Calculation
Affiliate commissions are calculated accurately and awarded to the affiliate after a confirmed sale.
Two Tier Affiliate Structure
Can be configured to use as a two-tier affiliate structure.
Easy Affiliate Management
View your affiliate details, commission level, account status etc. Easily change commission, edit affiliate details, view affiliate referrals, commissions and much more.
Self Managed Affiliate Area
Your affiliates will be able to create an account, log into their affiliate account and get ad code, view referrals, commissions and payout details.
Affiliate Ad Code
You can offer text and image ads to your affiliates. Your affiliates will be able to copy the ad code and use it to refer visitors.
Offer Creatives
You have the ability to offer creatives (pre written text copy that) to your affiliates. Your affiliates can use it to promote your products easily.
Referral Link Generator
It comes with a built-in link generation tool in the affiliate area. Your affiliates can use this tool to generate referral link and share it easily via email, facebook, twitter etc.
Offer Signup Bonus
You can offer one time signup bonus to your affiliates. This can help you attract more affiliates to join you.
Autoresponder Integration
It can be integrated with Autoresponders (AWeber, MailChimp, GetResponse, Mailpoet, Madmimi). This way the affiliates automatically get added to your list/campaign for email marketing purpose.
Unlimited Affiliates
No limit on the number of affiliates you can have and no monthly fees to use this plugin. Have as many affiliates as you want!
Manually Approve Affiliates
You can choose to manually approve each affiliate account. There is also an option to send the affiliate an email when you have reviewed the application and approved the account.
Commission Notification
You can configure email notification that will be sent to your affiliate and you, when an affiliate receives a commission.
$0 Commission Recording
Ability to enable or disable $0 commission recording. If the commission from a transaction is $0, you will be able to show or hide it.
Option to Show EPC Data
Ability to show the EPC (Earnings Per Click) data to your affiliates in their affiliate portal (under the sales menu).
Export Data to CSV File
Ability to export all your affiliate commissions data to a CSV file so you can view it using Excel. You can export your affiliate leads data to a CSV file also.
Multi Site License
When you buy the WP Affiliate Platform plugin you can use it on as many sites as you own (you gotta love that!). There is no “Developer Option” here. One low price entitles you to use the plugin on all of your sites.
Plugin Stability
Our plugin code-base is very stable. We put a lot effort into testing and developing our plugins so it doesn’t break your site after you upgrade.
Easy Integration with Most WordPress Shopping Carts
Integrates with most WordPress shoping carts including WooCommerce, eShop, Shopp plugin, Cart66, WP Shopping Cart etc. Check the integration section on our documentation page to see the full details of the available pre-made integration options.
Fully Integrates with WP eStore
Fully integrates with the WordPress eStore (WordPress Shopping Cart) plugin. Selling products from your WordPress site using the WP eStore plugin is quick and easy.
PayPal Button Integration
You can easily integrate this affiliate plugin with PayPal buttons that you create from your PayPal account. It can work for both one time and subscription PayPal payment buttons.
Integrates with Some Hosted Shopping Carts
Affiliate platform integrates with some hosted shopping carts like e-Junkie, FoxyCart, Ecwid etc. Check the integration section of our documentation page to see the full details of the available integration options.
Easy Integration with WooCommerce Plugin
The affiliate plugin easily integrates with the WooCommerce plugin. When your customers complete a sale via Woo Commerce, the plugin awards the commission to the appropriate affiliate (if any). You can also integrate WooCommerce coupons with this plugin to track and award commission based on the coupon that was used in the transaction.
Easy Integration with the WP-eCommerce Plugin
Can be easily integrated with the GetShopped WP-eCommerce plugin. You can view the WP eCommerce plugin integration details on our integration documentation page.
Integration with Gravity Forms Plugin
Can be integrated with the Gravity forms plugin to capture leads referred by your affiliates. It also integrates with their pricing fields option.
Integrates with WishList Member plugin
Can be integrated with the WishList Member plugin (Create Membership Site) when using PayPal buttons.
Developer Integration
Developers can integrate the wordpress affiliate plugin with any shopping cart or a plugin via the API (read the 3rd party integration post to understand what is involved in such an integration).
Works with HTTPS Pages
Affiliate Platform plugin works with https pages out of the box (useful if you are using an SSL certificate on your website).
Always Kept Upto Date
We keep our plugins upto date to work with the latest version of WordPress. We have been doing this for 5+ years so rest assured that our plugins will always be compatible with any future WordPress updates.
Free Future Upgrades
Free future improvements and upgrades (there is no annual fee). You will always have access to the latest version of the plugin for free.
Great Support
Tired of listening to fake support promises? Checkout our customer only forum to see how we handle product related issues (usually within 24 hours). Our support forum is moderated by the developers who created the plugin(s).
Affiliate Platform Plugin Demo
Click on the following button to view live demo of the affiliate area that you will be able to create with this plugin:
Documentation & Technical Support
- Documentation page (Contains all the documentation for the WP Affiliate Platform plugin)
If you are having any issue with this plugin then feel free to post it on the customer only support forum.
Please make sure you visit the demo and the documentation page so you understand the capability of this plugin. Do not assume that this plugin will magically work with a 3rd party plugin/solution that is not listed in the “Integration” section of the documentation page. Contact us if you are unsure about something and we will try to clarify it for you.
Customer Feedback
We won’t waste your time with fake testimonials! Checkout the customer feedback page and see what some of our customers have to say about us.
I meant to say this the other day: your customer support is EXCELLENT! Pre-sales or post sales, you always get back – it’s such a pleasure to work with you!
Combined costs for both products is a steal for the amount of functionality I get. A forthcoming review on my site will reflect that – I hope I can support you any way I can.
**Jay Versluis
**http://www.versluis.com/
You can also check the comment section below for more customer feedback.
Buy the WordPress Affiliate Platform
Summary
App Category
WordPress Plugin
Software Name
WordPress Affiliate Platform
Version
6.4.0
Date Modified
2022-11-01
Operating System
WordPress 6.1
Requirements
WordPress 5.5 or higher
Description
WordPress affiliate management plugin for automatic affiliate recruitment, management and referral tracking
File Format
application/zip
Easy Affiliate Program for WordPress blog or site. (Includes Free Lifetime Updates)
Get the Affiliate Software now and start building your sales army!
Frequently Bought Together
See the Products page for more bundled product deals.
WP Affiliate Platform Questions (F.A.Q)
Related news
The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dn' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Simple:Press plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sforum_[md5 hash of the WordPress URL]' cookie value in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This would be highly complex to exploit as it would require the attacker to set the cookie a cookie for the targeted user.
The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page.
The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when responding to forum threads that will execute whenever a user accesses an injected page.
The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during the profile-save action when modifying a profile signature in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to inject arbitrary web scripts in pages when modifying a profile signature that will execute whenever a user accesses an injected page.
The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.
The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page.
The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type.
The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is unlikely to work in modern browsers.
The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.
The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..