What the vulnerability does
01Description
Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
What the vulnerability does
Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.
Explanation of Vulnerability in Simple Terms
Affiliates Manager for WordPress contains an authorization flaw that allows authenticated users to modify affiliate data they should not have access to. An attacker with a low-privilege account can change commission rates, payout details, or other affiliate settings without proper permission checks. This affects versions up to 2.9.49. Update to a version newer than 2.9.49 to resolve the issue.
What an attacker can do
Modify affiliate commission rates, payouts, or settings belonging to other users.
Potential impact on your site
Affiliate payouts could be altered, commissions miscalculated, or affiliate accounts compromised by other users.
Conditions required to exploit
Attacker must have a valid WordPress user account with at least subscriber-level access.
Key dates
External resources