WordPress Plugin Vulnerabilities

WP Affiliate Disclosure < 1.2.7 - Cross-Site Request Forgery via check_capability

Description

The WP Affiliate Disclosure plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.6. This is due to incorrect nonce validation logic on the check_capability function. This makes it possible for unauthenticated attackers to update plugin options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wp-affiliate-disclosure
Fixed in 1.2.7

References

CVE
CVE-2023-47232
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/11cc8c6e-b60e-46b3-966e-07b1fb2bf8e9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
2cc45653-4f7c-4d01-bce4-9a10a4de2a94

Timeline

Publicly Published
2023-11-03 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
Cue < 2.4.5 - Missing Authorization
Published
2025-07-11
Title
Product XML Feed Manager for WooCommerce < 2.9.3 - Missing Authorization
Published
2025-05-16
Title
CSS3 Tooltips for WordPress < 1.9 - Missing Authorization
Published
2026-01-24
Title
Materialis Companion < 1.3.53 - Missing Authorization
Published
2024-04-25
Title
The Plus Blocks for Block Editor | Gutenberg < 3.2.6 - Missing Authorization