What the vulnerability does
01Description
Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1.
Explanation of Vulnerability in Simple Terms
02Summary
The Woocommerce Envato Affiliates plugin fails to properly check user permissions before allowing certain actions. A logged-in user with low privileges can modify or delete affiliate data they should not have access to, or disrupt the plugin's availability. The vulnerability affects versions up to 1.2.1.
What an attacker can do
03Attacker Capabilities
A logged-in user can modify or delete affiliate records and disrupt plugin functionality without proper authorization.
Potential impact on your site
04Site Impact
Affiliate data can be corrupted or deleted by unauthorized users, breaking affiliate tracking and payouts.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the WordPress site (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
May 26, 2026
CVE published
May 27, 2026
Record updated