The Auto Affiliate Links plugin for WordPress suffers from a stored XSS vulnerability due to improper input sanitization and output escaping. Specifically, the 'url' POST parameter handled by aal_url_stats_save_action() is not properly sanitized, and the stored value is echoed directly in the admin statistics page via aal_display_clicks() without using WordPress escaping functions (esc_url(), esc_attr(), esc_html()). An unauthenticated AJAX endpoint registered with wp_ajax_nopriv_ allows attackers to inject arbitrary scripts that execute in administrator browsers, potentially compromising admin sessions or site integrity. The CVSS 3.1 score is 7.2 (high severity) with network attack vector, low attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity with scope change.

Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript in the context of an administrator's browser when they view the statistics page. This can lead to theft of admin credentials, session hijacking, or other malicious actions performed with admin privileges. The vulnerability affects site confidentiality and integrity but does not impact availability. No known exploits in the wild have been reported to date.

No official patch or remediation is currently available from the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, administrators should limit access to the statistics page and monitor for suspicious activity. Applying strict input validation or output escaping via custom code may mitigate risk but requires technical expertise.