CVE-2025-14361 HIGH

CVE-2025-14361: WordPress Woocommerce Envato Affiliates plugin <= 1.2.1 - Settings Change vulnerability

Vendor Aa-Team
Product Woocommerce Envato Affiliates
Weakness CWE-862 · Missing authorization
Published May 26, 2026
Last update May 27, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Woocommerce Envato Affiliates plugin fails to properly check user permissions before allowing certain actions. A logged-in user with low privileges can modify or delete affiliate data they should not have access to, or disrupt the plugin's availability. The vulnerability affects versions up to 1.2.1.

What an attacker can do

03Attacker Capabilities

A logged-in user can modify or delete affiliate records and disrupt plugin functionality without proper authorization.

Potential impact on your site

04Site Impact

Affiliate data can be corrupted or deleted by unauthorized users, breaking affiliate tracking and payouts.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the WordPress site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated

Related vulnerabilities

08Related CVE