CVE-2025-11451 Overview
CVE-2025-11451 is an unauthenticated arbitrary file read vulnerability in the Auto Amazon Links – Amazon Associates Affiliate Plugin for WordPress. The flaw affects all versions up to and including 5.4.3 and resides in the /wp-json/wp/v2/aal_ajax_unit_loading REST API endpoint. Unauthenticated attackers can supply controlled file path values to the endpoint and read the contents of arbitrary files on the underlying server. Sensitive files such as wp-config.php, private keys, and log data are exposed through this path. The issue is tracked under [CWE-73: External Control of File Name or Path].
Critical Impact
Unauthenticated remote attackers can read arbitrary files, including wp-config.php, exposing database credentials and authentication secrets.
Affected Products
- Auto Amazon Links – Amazon Associates Affiliate Plugin for WordPress
- All versions through 5.4.3
- WordPress sites exposing the /wp-json/wp/v2/aal_ajax_unit_loading REST endpoint
Discovery Timeline
- 2025-11-11 - CVE-2025-11451 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-11451
Vulnerability Analysis
The vulnerability resides in the plugin's REST API route registered at /wp-json/wp/v2/aal_ajax_unit_loading. This endpoint handles unit template loading for Amazon affiliate units rendered on the front end. The handler accepts a template path parameter that is passed to file inclusion or read functions without sufficient validation. Because the route is registered without an authentication or capability callback, any unauthenticated client can issue requests directly. The plugin's template path resolution logic, implemented in AmazonAutoLinks_UnitOutput__TemplatePath.php and the abstract output class AmazonAutoLinks_UnitOutput_Base.php, fails to constrain user-supplied paths to a safe template directory.
Root Cause
The root cause is improper neutralization of file path input passed through the REST API. The plugin trusts client-supplied values used to construct a template path, allowing directory traversal sequences and absolute paths to escape the intended template directory. No path canonicalization or allowlist check is enforced before the file contents are read and returned in the response.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the vulnerable REST route, supplying a path that points to a sensitive server file. The endpoint responds with the file contents, enabling theft of database credentials from wp-config.php, SSH keys, or other configuration data. Successful disclosure can be chained into full site compromise once database secrets or authentication keys are recovered. Refer to the Wordfence Vulnerability Report and the affected source files in AmazonAutoLinks_UnitOutput__TemplatePath.php for technical details.
Detection Methods for CVE-2025-11451
Indicators of Compromise
- HTTP requests to /wp-json/wp/v2/aal_ajax_unit_loading containing path traversal sequences such as ../ or absolute paths like /etc/passwd or wp-config.php.
- Unexpected outbound responses from the WordPress site containing PHP configuration constants such as DB_PASSWORD or AUTH_KEY.
- Web server access logs showing unauthenticated GET or POST traffic to the aal_ajax_unit_loading endpoint from unfamiliar source IPs.
Detection Strategies
- Inspect WordPress and reverse proxy logs for requests to the vulnerable REST route correlated with non-standard template parameter values.
- Deploy WAF rules that flag path traversal patterns (..%2F, ....//, encoded null bytes) targeting /wp-json/wp/v2/ routes.
- Monitor file system audit logs for unusual reads of wp-config.php, .env, or /etc/ files originating from the PHP worker process.
Monitoring Recommendations
- Alert on REST API requests to plugin endpoints from unauthenticated sessions where the request body or query string contains filesystem path indicators.
- Track sudden spikes in 4xx or large 2xx responses on /wp-json/ paths that may indicate enumeration.
- Forward WordPress, PHP-FPM, and web server logs into a centralized SIEM such as Singularity Data Lake for correlation across the request lifecycle.
How to Mitigate CVE-2025-11451
Immediate Actions Required
- Update the Auto Amazon Links plugin to a version released after 5.4.3 that addresses CVE-2025-11451.
- If no patched version is available, deactivate and remove the plugin until a fix is released.
- Rotate all secrets stored in wp-config.php, including database credentials and WordPress salts, if exploitation is suspected.
- Review web server access logs for prior requests to /wp-json/wp/v2/aal_ajax_unit_loading and assess potential exposure.
Patch Information
The vendor has not published a fixed version reference within the NVD record at the time of writing. Administrators should monitor the Wordfence advisory and the WordPress.org plugin page for the official patched release.
Workarounds
- Block public access to the /wp-json/wp/v2/aal_ajax_unit_loading route at the WAF or reverse proxy layer.
- Restrict the WordPress REST API to authenticated users where business requirements permit.
- Apply file system permission hardening so the PHP worker user cannot read sensitive files outside the web root.
# Example NGINX block to deny public access to the vulnerable endpoint
location ~* /wp-json/wp/v2/aal_ajax_unit_loading {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
