🔐 CVE Alert

CVE-2026-6169

HIGH 7.2

affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution

CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template.

CWE CWE-94
Vendor cservit
Product affiliate-toolkit – multi-network affiliate & amazon product display
Published May 27, 2026
Last Updated May 27, 2026
Stay Ahead of the Next One

Get instant alerts for cservit affiliate-toolkit – multi-network affiliate & amazon product display

Be the first to know when new high vulnerabilities affecting cservit affiliate-toolkit – multi-network affiliate & amazon product display are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

cservit / affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display
0 ≤ 3.8.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/b6310a0c-5a96-4dbc-940e-025c9b907c7d?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/includes/helper/atkp_template_helper.php#L1074 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/lib/bladeone/BladeOne.php#L320 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/includes/atkp_posttypes_template.php#L735

Credits

Nguyen Quang Truong