Affiliates Manager < 2.9.35 – Cross-Site Request Forgery | CVE 2024-0859 | Plugin Vulnerabilities

Description

The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the process_bulk_action function in ListAffiliatesTable.php. This makes it possible for unauthenticated attackers to delete affiliates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

affiliates-manager

Fixed in 2.9.35

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/433a03c2-09fd-4ce6-843b-55ad09f4b4f7

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nathaniel Oh (0x4n3)

Verified

No

WPVDB ID

66e7a70d-3448-4c76-9a84-3b83f0b3a3eb

Timeline

Publicly Published

2024-01-30 (about 2 years ago)

Added

2024-01-30 (about 2 years ago)

Last Updated

2024-01-30 (about 2 years ago)

Other

Published

Title

Published

2026-04-07

Title

BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net < 1.1.6 - Cross-Site Request Forgery to Product Data Modification

Published

2022-10-17

Title

WP < 6.0.3 - CSRF in wp-trackback.php

Published

2021-03-01

Title

Multiple Plugins - CSRF Nonce Bypasses

Published

2022-08-02

Title

MaxButtons < 9.3 - Arbitrary Settings Update via CSRF

Published

2025-09-22

Title

Fastly < 1.2.29 - Cross-Site Request Forgery