CVE-2025-11451 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the Auto Amazon Links – Amazon Associates Affiliate Plugin for WordPress. This plugin, widely used to integrate Amazon affiliate links into WordPress sites, contains a flaw in its REST API endpoint '/wp-json/wp/v2/aal_ajax_unit_loading' that allows unauthenticated attackers to perform arbitrary file reads on the hosting server. The vulnerability arises because the plugin fails to properly validate or sanitize user-supplied input controlling file paths, enabling attackers to specify arbitrary file names or paths. Exploiting this vulnerability does not require any authentication or user interaction, making it easily exploitable remotely over the network. Successful exploitation can lead to disclosure of sensitive files such as configuration files, credentials, or other private data stored on the server. The vulnerability affects all versions up to and including 5.4.3 of the plugin. Although no patches or fixes are currently linked, the vulnerability has been publicly disclosed and assigned a CVSS 3.1 base score of 7.5, reflecting high confidentiality impact but no impact on integrity or availability. There are no known exploits in the wild yet, but the ease of exploitation and potential data exposure make it a critical concern for WordPress site administrators using this plugin.

The primary impact of CVE-2025-11451 is unauthorized disclosure of sensitive information stored on the web server hosting the vulnerable WordPress plugin. Attackers can read arbitrary files, potentially exposing database credentials, API keys, user data, or other confidential information. This can lead to further compromise of the website or backend systems, including privilege escalation or data breaches. Since the vulnerability requires no authentication and no user interaction, it can be exploited by remote attackers at scale, increasing the risk of widespread data leakage. Organizations relying on this plugin for affiliate marketing may suffer reputational damage, loss of customer trust, and regulatory consequences if sensitive data is exposed. The vulnerability does not directly affect system integrity or availability, but the confidentiality breach alone is significant. Given the popularity of WordPress and the Amazon affiliate program, many e-commerce and content websites worldwide are at risk.

1. Immediate mitigation involves disabling or removing the Auto Amazon Links – Amazon Associates Affiliate Plugin until a security patch is released. 2. Monitor official vendor channels and WordPress plugin repositories for updates or patches addressing this vulnerability and apply them promptly. 3. Implement web application firewall (WAF) rules to block or restrict access to the vulnerable REST API endpoint '/wp-json/wp/v2/aal_ajax_unit_loading' from untrusted sources. 4. Restrict file system permissions on the web server to limit the plugin's ability to access sensitive files, minimizing potential data exposure. 5. Conduct a thorough audit of server logs and files to detect any signs of exploitation or unauthorized access. 6. Educate site administrators about the risks of installing plugins from unverified sources and the importance of timely updates. 7. Consider using security plugins that can detect and block attempts to exploit path traversal or arbitrary file read vulnerabilities. 8. Regularly back up website data and configurations to enable recovery in case of compromise.