WordPress Plugin Vulnerabilities

AffiliateWP < 2.14.1 - Subscriber+ Arbitrary Plugin Activation

Description

The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins

Affects Plugins

Plugin icon
AffiliateWP
Fixed in 2.14.1

References

CVE
CVE-2023-4600

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
0f1ae148-3915-4878-b93c-9358330fe7cb

Timeline

Publicly Published
2023-08-29 (about 2 years ago)
Added
2023-09-18 (about 2 years ago)
Last Updated
2023-09-18 (about 2 years ago)

Other

Published
Title
Published
2024-02-27
Title
Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan < 4.52 - Missing Authorization to Unauthenticated IP Address Whitelist
Published
2025-09-26
Title
Grand Conference Theme Custom Post Type < 2.6.4 - Missing Authorization
Published
2025-01-07
Title
Post SMTP < 2.9.12 - Missing Authorization via regenerate_qrcode()
Published
2022-08-25
Title
About Rentals <= 1.5 - Unauthenticated Actions
Published
2026-03-23
Title
WP Configurator Pro < 3.8.0 - Missing Authorization