Connect with us


ThirstyAffiliates WordPress Plugin Vulnerabilities



ThirstyAffiliates WordPress Plugin Vulnerabilities

The United States National Vulnerability Database (NVD) announced that the Thirsty Affiliate Link Manager WordPress plugin has two vulnerabilities that can allow a hacker to inject links. Additionally the plugin lacks Cross-Site Request Forgery checking which can lead to a complete compromise of the victim’s website.

ThirstyAffiliates Link Manager Plugin

The ThirstyAffiliates Link Manager WordPress plugin offers affiliate link management tools. Affiliate links are constantly changing and once a link goes stale the affiliate will no longer earn money from that link.

The WordPress affiliate link management plugin solves this problem by providing a way to manage affiliate links from a single area in the WordPress administrator panel, which makes it easy to change the destination URLs across the entire site by changing one link.

The tool allows a way to add affiliate links within the content as the content is written.

ThirstyAffiliate Link Manager WordPress Plugin Vulnerabilities

The United States National Vulnerability Database (NVD) described two vulnerabilities that allow any logged-in user, including users at the subscriber level, to create affiliate links and also to upload images with links that can direct users who click on the links to any website.

The NVD describes the vulnerabilities:


“The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website.”



“The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link.

Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.”

Cross-Site Request Forgery

A Cross-Site Request Forgery attack is one that causes a logged-in user to execute an arbitrary command on a website through the browser that the site visitor is using.

In a website that’s lacking CSRF checks, the website cannot tell the difference between a browser displaying cookie credentials of a logged-in user and a forged authenticated request (authenticated means logged-in).

If the logged-in user has administrator-level access then the attack can lead to a total site takeover because the entire website is compromised.

Updating ThirstyAffiliates link Manager Plugin is Recommended

The ThirstyAffiliates plugin has issued a patch for the two vulnerabilities. It may be prudent to update to the safest version of the plugin, 3.10.5.


Read the Official NVD Vulnerability Warnings

CVE-2022-0634 Detail

CVE-2022-0398 Detail

Read the WP Scan Vulnerability Details and Review the Proof of Concepts

ThirstyAffiliates Affiliate Link Manager < 3.10.5 – Subscriber+ Arbitrary Affiliate Links Creation


ThirstyAffiliates < 3.10.5 – Subscriber+ unauthorized image upload + CSRF

Source link



B2B PPC Experts Give Their Take On Google Search On Announcements



B2B PPC Experts Give Their Take On Google Search On Announcements

Google hosted its 3rd annual Search On event on September 28th.

The event announced numerous Search updates revolving around these key areas:

  • Visualization
  • Personalization
  • Sustainability

After the event, Google’s Ad Liason, Ginny Marvin, hosted a roundtable of PPC experts specifically in the B2B industry to give their thoughts on the announcements, as well as how they may affect B2B. I was able to participate in the roundtable and gained valuable feedback from the industry.

The roundtable of experts comprised of Brad Geddes, Melissa Mackey, Michelle Morgan, Greg Finn, Steph Bin, Michael Henderson, Andrea Cruz Lopez, and myself (Brooke Osmundson).

The Struggle With Images

Some of the updates in Search include browsable search results, larger image assets, and business messages for conversational search.

Brad Geddes, Co-Founder of Adalysis, mentioned “Desktop was never mentioned once.” Others echoed the same sentiment, that many of their B2B clients rely on desktop searches and traffic. With images showing mainly on mobile devices, their B2B clients won’t benefit as much.

Another great point came up about the context of images. While images are great for a user experience, the question reiterated by multiple roundtable members:

  • How is a B2B product or B2B service supposed to portray what they do in an image?

Images in search are certainly valuable for verticals such as apparel, automotive, and general eCommerce businesses. But for B2B, they may be left at a disadvantage.

More Uses Cases, Please

Ginny asked the group what they’d like to change or add to an event like Search On.


The overall consensus: both Search On and Google Marketing Live (GML) have become more consumer-focused.

Greg Finn said that the Search On event was about what he expected, but Google Marketing Live feels too broad now and that Google isn’t speaking to advertisers anymore.

Marvin acknowledged and then revealed that Google received feedback that after this year’s GML, the vision felt like it was geared towards a high-level investor.

The group gave a few potential solutions to help fill the current gap of what was announced, and then later how advertisers can take action.

  • 30-minute follow-up session on how these relate to advertisers
  • Focus less on verticals
  • Provide more use cases

Michelle Morgan and Melissa Mackey said that “even just screenshots of a B2B SaaS example” would help them immensely. Providing tangible action items on how to bring this information to clients is key.

Google Product Managers Weigh In

The second half of the roundtable included input from multiple Google Search Product Managers. I started off with a more broad question to Google:

  • It seems that Google is becoming a one-stop shop for a user to gather information and make purchases. How should advertisers prepare for this? Will we expect to see lower traffic, higher CPCs to compete for that coveted space?

Cecilia Wong, Global Product Lead of Search Formats, Google, mentioned that while they can’t comment directly on the overall direction, they do focus on Search. Their recommendation:

  • Manage assets and images and optimize for best user experience
  • For B2B, align your images as a sneak peek of what users can expect on the landing page

However, image assets have tight restrictions on what’s allowed. I followed up by asking if they would be loosening asset restrictions for B2B to use creativity in its image assets.

Google could not comment directly but acknowledged that looser restrictions on image content is a need for B2B advertisers.

Is Value-Based Bidding Worth The Hassle?

The topic of value-based bidding came up after Carlo Buchmann, Product Manager of Smart Bidding, said that they want advertisers to embrace and move towards value-based bidding. While the feedback seemed grim, it opened up for candid conversation.

Melissa Mackey said that while she’s talked to her clients about values-based bidding, none of her clients want to pull the trigger. For B2B, it’s difficult to assess the value on different conversion points.


Further, she stated that clients become fixated on their pipeline information and can end up making it too complicated. To sum up, they’re struggling to translate the value number input to what a sale is actually worth.

Geddes mentioned that some of his more sophisticated clients have moved back to manual bidding because Google doesn’t take all the values and signals to pass back and forth.

Finn closed the conversation with his experience. He emphasized that Google has not brought forth anything about best practices for value-based bidding. By having only one value, it seems like CPA bidding. And when a client has multiple value inputs, Google tends to optimize towards the lower-value conversions – ultimately affecting lead quality.

The Google Search Product Managers closed by providing additional resources to dig into overall best practices to leverage search in the world of automation.

Closing Thoughts

Google made it clear that the future of search is visual. For B2B companies, it may require extra creativity to succeed and compete with the visualization updates.

However, the PPC roundtable experts weighed in that if Google wants advertisers to adopt these features, they need to support advertisers more – especially B2B marketers. With limited time and resources, advertisers big and small are trying to do more with less.

Marketers are relying on Google to make these Search updates relevant to not only the user but the advertisers. Having clearer guides, use cases, and conversations is a great step to bringing back the Google and advertiser collaboration.

A special thank you to Ginny Marvin of Google for making space to hear B2B advertiser feedback, as well as all the PPC experts for weighing in.


Featured image: Shutterstock/T-K-M

fbq('track', 'PageView');

fbq('trackSingle', '1321385257908563', 'ViewContent', { content_name: 'b2b-ppc-experts-give-their-take-on-google-search-on-announcements', content_category: 'news pay-per-click seo' }); } });

Source link

Continue Reading

Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address