{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11451", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-07T16:53:27.994Z", "datePublished": "2025-11-11T03:30:39.282Z", "dateUpdated": "2026-04-08T16:53:41.769Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:41.769Z"}, "affected": [{"vendor": "miunosoft", "product": "Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/568254a4-400d-45ea-8a96-1669b0694d70?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/output/_abstract/AmazonAutoLinks_UnitOutput_Base.php"}, {"url": "https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/option/template/AmazonAutoLinks_UnitOutput__TemplatePath.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-11-10T15:23:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T16:07:55.938196Z", "id": "CVE-2025-11451", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:07:20.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11451", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T16:07:55.938196Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T16:07:57.935Z"}}], "cna": {"title": "Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "miunosoft", "product": "Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.4.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:23:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/568254a4-400d-45ea-8a96-1669b0694d70?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/output/_abstract/AmazonAutoLinks_UnitOutput_Base.php"}, {"url": "https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/option/template/AmazonAutoLinks_UnitOutput__TemplatePath.php"}], "descriptions": [{"lang": "en", "value": "The Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:41.769Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11451", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:41.769Z", "dateReserved": "2025-10-07T16:53:27.994Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:39.282Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "id": "CVE-2025-11451", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:41.433", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/option/template/AmazonAutoLinks_UnitOutput__TemplatePath.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/output/_abstract/AmazonAutoLinks_UnitOutput_Base.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/568254a4-400d-45ea-8a96-1669b0694d70?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:26:54.700364+00:00", "value": {"mitigation_remediation": ["Upgrade Auto Amazon Links plugin to version 5.4.4 or later.", "Restrict unauthenticated requests to the /wp-json/wp/v2/aal_ajax_unit_loading endpoint by blocking it in a firewall or configuring WordPress REST API permissions.", "Deploy a web application firewall rule that blocks file path traversal attempts against the plugin's REST endpoint."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the miunosoft Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin where the version is 5.4.3 or earlier. The plugin is commonly used on WordPress sites that rely on Amazon affiliate links. No other vendors or product families are reported to be impacted.", "description_and_impact": "The vulnerability exists in the Auto Amazon Links \u2013 Amazon Associates Affiliate Plugin for WordPress. Versions up to and including 5.4.3 allow unauthenticated attackers to read arbitrary files on the server via the /wp-json/wp/v2/aal_ajax_unit_loading REST API endpoint. Because the plugin lacks proper input validation, the attacker can specify a file path and retrieve its contents, exposing sensitive data. The flaw aligns with CWE\u201173 Path Traversal.", "risk_and_exploitability": "The CVSS score of 7.5 indicates moderate to high severity, while the EPSS score being less than 1% suggests a low probability of immediate exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw from any network location that can reach the site's REST API, and no authentication is required, making the attack straightforward for anyone with access to the internet. Consequently, sites that host the plugin are at risk of leaking confidential files or configuration data."}}}}, "created": "2025-11-12T12:47:45.673933+00:00", "updated": "2026-04-22T12:30:16.835825+00:00", "vendors": ["miunosoft", "miunosoft$PRODUCT$auto_amazon_links_amazon_associates_affiliate_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}