CVE-2025-11451 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the Auto Amazon Links – Amazon Associates Affiliate Plugin for WordPress. This plugin, widely used to integrate Amazon affiliate links into WordPress sites, contains a flaw in its REST API endpoint '/wp-json/wp/v2/aal_ajax_unit_loading' that allows unauthenticated attackers to perform arbitrary file reads on the hosting server. The vulnerability exists in all versions up to and including 5.4.3. By exploiting this flaw, attackers can craft specially designed HTTP requests to the REST API endpoint that manipulate file path parameters, bypassing intended access controls and reading sensitive files such as configuration files, database credentials, or other critical data stored on the server. The vulnerability does not require any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, no privileges required, and high confidentiality impact. While no public exploits have been reported yet, the vulnerability's nature makes it a prime target for attackers seeking to gather sensitive information for further exploitation or lateral movement. The plugin's widespread use in affiliate marketing and e-commerce websites increases the potential attack surface. The vulnerability highlights the importance of secure coding practices in handling file path inputs and the need for strict validation and sanitization in REST API endpoints.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data hosted on WordPress servers using the affected plugin. Attackers can leverage this flaw to access configuration files, credentials, or other sensitive information that could lead to further compromise, including unauthorized access to databases, user data, or internal systems. This is particularly critical for e-commerce platforms, affiliate marketers, and content publishers relying on the plugin for revenue generation. The breach of sensitive data could result in financial losses, reputational damage, regulatory penalties under GDPR, and disruption of business operations. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, increasing the likelihood of exploitation. Additionally, the exposure of sensitive files could facilitate subsequent attacks such as privilege escalation, data exfiltration, or deployment of malware. The impact is amplified in sectors with stringent data protection requirements and high-value targets, such as finance, healthcare, and retail within Europe.

European organizations should immediately audit their WordPress installations to identify the presence of the Auto Amazon Links – Amazon Associates Affiliate Plugin and verify the version in use. Until an official patch is released, organizations should consider disabling or removing the plugin to eliminate the attack vector. Implementing strict access controls on the REST API endpoint '/wp-json/wp/v2/aal_ajax_unit_loading' is critical; this can be achieved by restricting access to trusted IP addresses or requiring authentication for API access. Deploying Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting file path parameters can provide an additional layer of defense. Regularly monitoring web server logs for unusual access patterns or attempts to read sensitive files is recommended. Organizations should also ensure that sensitive files and configuration data are stored outside the web root or protected with appropriate file system permissions to minimize exposure. Finally, maintain an incident response plan to quickly address any signs of exploitation and keep abreast of vendor updates for timely patch application.