CVE-2026-6169: WordPress Affiliate-Toolkit RCE Vulnerability

CVE-2026-6169 Overview

CVE-2026-6169 is a remote code execution vulnerability affecting the affiliate-toolkit WordPress plugin in all versions up to and including 3.8.5. The flaw resides in the plugin's use of the BladeOne templating engine's runString() method, which compiles user-supplied template content into PHP and executes it through eval() without sanitization or sandboxing. Authenticated attackers holding Editor-level access or higher can inject PHP directly into a plugin template to gain arbitrary code execution on the server. The vulnerability is classified as [CWE-94] Improper Control of Generation of Code (Code Injection).

Critical Impact

Authenticated Editor-level users can execute arbitrary PHP on the underlying web server, leading to full WordPress site compromise.

Affected Products

• affiliate-toolkit WordPress plugin (affiliate-toolkit-starter) versions up to and including 3.8.5
• Installations using the bundled BladeOne templating library (lib/bladeone/BladeOne.php)
• WordPress sites granting Editor or higher roles to untrusted users

Discovery Timeline

• 2026-05-27 - CVE-2026-6169 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-6169

Vulnerability Analysis

The affiliate-toolkit plugin renders templates through the BladeOne PHP templating engine, a standalone port of Laravel's Blade. The plugin invokes BladeOne's runString() method against template content that originates from authenticated user input stored in the plugin's template post type.

runString() compiles Blade syntax into raw PHP source and evaluates that source with PHP's eval() construct. Because the input is treated as trusted template code, an attacker can embed arbitrary PHP expressions inside Blade directives such as {{ ... }} or @php ... @endphp, which are then executed during rendering. The plugin performs no sanitization, output escaping, or sandboxing of template payloads prior to evaluation.

Root Cause

The root cause is the unsafe combination of dynamic template compilation and code evaluation on attacker-controlled input. The vulnerable sinks include the template handler at includes/atkp_posttypes_template.php line 735, the helper at includes/helper/atkp_template_helper.php line 1074, and BladeOne's runString() implementation at lib/bladeone/BladeOne.php line 320. The design treats Editor-level template authoring as a trusted operation, even though the WordPress Editor role is not intended to grant server-side code execution.

Attack Vector

Exploitation requires authenticated access with the Editor role or higher. An attacker creates or edits an affiliate-toolkit template post and supplies template content containing embedded PHP through Blade syntax. When the template is rendered, BladeOne compiles the malicious content and eval() executes the resulting PHP under the web server user, granting full code execution within the WordPress process context. No user interaction beyond rendering the affected template is required.

Detection Methods for CVE-2026-6169

Indicators of Compromise

• Unexpected PHP files written under wp-content/uploads/ or plugin directories following template edits
• Outbound network connections from the PHP-FPM or Apache process to attacker infrastructure shortly after template rendering
• New or modified affiliate-toolkit template entries authored by Editor accounts that contain Blade directives such as @php, {{ system(...) }}, or {!! ... !!}
• WordPress audit log entries showing template post type modifications correlated with anomalous shell or process activity

Detection Strategies

• Inspect the affiliate-toolkit template post type content for Blade directives containing PHP function calls, backticks, or eval, system, exec, passthru, shell_exec, and assert references.
• Monitor for PHP child processes spawning shell binaries (/bin/sh, /bin/bash, cmd.exe) from the web server user, which is uncommon under normal WordPress operation.
• Hash and baseline plugin files; alert on additions or modifications inside the BladeOne compiled cache directory.

Monitoring Recommendations

• Enable WordPress activity logging to capture role assignments and template post creations or edits by non-administrator accounts.
• Forward web server, PHP error, and authentication logs to a central analytics platform and alert on Editor logins followed by template rendering and outbound connections.
• Review the Wordfence Vulnerability Report for current signature coverage and exploit traffic patterns.

How to Mitigate CVE-2026-6169

Immediate Actions Required

• Update the affiliate-toolkit plugin to a version newer than 3.8.5 once the vendor publishes a fix.
• Audit all WordPress accounts with Editor, Author, Administrator, or custom roles capable of editing affiliate-toolkit templates and remove unnecessary privileges.
• Rotate credentials and review uploaded files on any site where untrusted Editor accounts exist, treating affected hosts as potentially compromised.

Patch Information

No fixed version is listed in the NVD record at the time of publication. Track the Wordfence Vulnerability Report and the plugin's WordPress code repository for an updated release that removes the use of runString() against user-supplied content.

Workarounds

• Deactivate and remove the affiliate-toolkit plugin until a patched release is available.
• Restrict Editor-and-above roles to trusted administrators only, since standard WordPress hardening assumes Editor accounts are not capable of arbitrary code execution.
• Deploy a web application firewall rule that blocks request bodies containing Blade @php directives or PHP function tokens destined for the plugin's template endpoints.
• Apply PHP disable_functions to restrict dangerous functions such as system, exec, shell_exec, passthru, and proc_open where compatible with the application.

# Example: disable the affiliate-toolkit plugin via WP-CLI pending a vendor patch
wp plugin deactivate affiliate-toolkit-starter
wp plugin delete affiliate-toolkit-starter

# Example: list users with Editor or higher privileges for review
wp user list --role=editor --fields=ID,user_login,user_email,user_registered
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered