WordPress Plugin Vulnerabilities

Affiliate For WooCommerce < 4.8.0 - Subscriber+ Unauthorised Actions

Description

The plugin does not have authorisation in various actions, which could allow users with a role as low as subscriber to call them

Affects Plugins

Plugin icon
affiliate-for-woocommerce
Fixed in 4.8.0

References

CVE
CVE-2022-25649

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Gennady Kovshenin
Verified
No
WPVDB ID
d50a9bb0-7587-4525-a332-76decec53cec

Timeline

Publicly Published
2022-08-01 (about 3 years ago)
Added
2022-08-06 (about 3 years ago)
Last Updated
2023-04-12 (about 3 years ago)

Other

Published
Title
Published
2022-06-28
Title
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
Published
2024-05-21
Title
UserPro < 5.1.9 - Unauthenticated Account Takeover to Privilege Escalation
Published
2024-02-16
Title
My Private Site < 3.1.0 - Improper Access Control to Sensitive Information Exposure via REST API
Published
2024-02-19
Title
Coming Soon Maintenance Mode < 1.0.6 - Information Exposure
Published
2025-01-16
Title
WP Hotel Booking < 2.1.6 - Missing Authorization