CVE-2026-1073 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Purchase Button For Affiliate Link plugin for WordPress, versions up to and including 1.0.2. The vulnerability stems from the absence of nonce validation in the form handler located in 'inc/purchase-btn-options-page.php', specifically on the plugin's settings page. Nonce validation is a security mechanism designed to ensure that requests to modify settings originate from legitimate users and not from forged requests. Due to this missing validation, an attacker can craft a malicious link or webpage that, when visited by a WordPress site administrator, triggers unauthorized changes to the plugin's settings without the administrator's explicit consent. Since the attacker does not need to be authenticated but requires the administrator to interact with the malicious content, the attack vector relies on social engineering. The impact is limited to integrity, as attackers can alter plugin configurations, potentially redirecting affiliate links or changing purchase button behaviors, which could lead to revenue loss or reputational damage. Confidentiality and availability are not directly affected. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). No patches or exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of this vulnerability is on the integrity of the affected WordPress sites using the Purchase Button For Affiliate Link plugin. Attackers can modify plugin settings without authentication by exploiting the CSRF flaw, potentially redirecting affiliate links to malicious or competitor URLs, disrupting affiliate marketing revenue streams. This could also lead to loss of trust from users or partners if affiliate links are manipulated. Although confidentiality and availability are not directly compromised, the unauthorized changes could indirectly affect business operations and revenue. The requirement for administrator interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk, especially in environments where administrators frequently access untrusted content. Organizations relying on this plugin for affiliate marketing or e-commerce should consider the risk of financial impact and reputational damage. Since no known exploits are reported, the threat is currently theoretical but could increase if exploit code becomes available.

To mitigate this vulnerability, organizations should first check for updates or patches from the plugin vendor and apply them immediately once available. If no official patch exists, administrators or developers should implement nonce validation on the settings page form handler to ensure that all requests modifying plugin settings include a valid nonce token, preventing unauthorized CSRF attempts. Additionally, administrators should be trained to avoid clicking on suspicious links or visiting untrusted websites while logged into WordPress admin accounts. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts can provide an additional layer of defense. Regularly auditing plugin configurations and monitoring for unexpected changes can help detect exploitation attempts early. Finally, consider restricting administrative access to trusted networks or using multi-factor authentication to reduce the risk of compromised admin sessions.