CVE-2022-36284 MEDIUM

CVE-2022-36284: WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change

Vendor Storeapps
Product Affiliate For WooCommerce (WordPress plugin)
Published August 5, 2022
Last update April 28, 2026

CVSS base score

6.4/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.

Key dates

02Disclosure timeline

August 5, 2022 CVE published
April 28, 2026 Record updated