What is GHSA-h6jg-7g8r-wgqw?

GHSA-h6jg-7g8r-wgqw is a security advisory published by GitHub Security Advisories with High severity. The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions...

Which CVE IDs does GHSA-h6jg-7g8r-wgqw cover?

GHSA-h6jg-7g8r-wgqw covers the following CVE IDs: CVE-2026-6169. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-h6jg-7g8r-wgqw?

GHSA-h6jg-7g8r-wgqw has a CVSS v3 base score of 7.2, published by GitHub Security Advisories.

GHSA-h6jg-7g8r-wgqwHighCVSS 7.2

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions...

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 27, 2026

🔗 CVE IDs covered (1)

CVE-2026-6169 →

📋 Description

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2026-6169
https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/includes/atkp_posttypes_template.php#L735
https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/includes/helper/atkp_template_helper.php#L1074
https://plugins.trac.wordpress.org/browser/affiliate-toolkit-starter/tags/3.8.5/lib/bladeone/BladeOne.php#L320
https://www.wordfence.com/threat-intel/vulnerabilities/id/b6310a0c-5a96-4dbc-940e-025c9b907c7d?source=cve
https://github.com/advisories/GHSA-h6jg-7g8r-wgqw