WordPress Plugin Vulnerabilities

Affiliate For WooCommerce < 4.8.0 - Subscriber+ Paypal Email Update via IDOR

Description

The plugin allows users with a role as low as subscriber to change the PayPal Email via an IDOR attack when the WooCommerce PayPal Payments plugin is also installed

Affects Plugins

Plugin icon
affiliate-for-woocommerce
Fixed in 4.8.0

References

CVE
CVE-2022-36284

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.0 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Verified
No
WPVDB ID
d775ba81-754f-4f2f-972a-2f9e91b4a1cf

Timeline

Publicly Published
2022-08-02 (about 3 years ago)
Added
2022-08-06 (about 3 years ago)
Last Updated
2023-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-03-14
Title
School Management System – WPSchoolPress < 2.2.17 - Teacher+ Privilege Escalation
Published
2024-01-10
Title
WP Customer Area < 8.2.1 - Subscriber+ Account Address Leak
Published
2025-04-14
Title
Projectopia <= 5.1.23 - Unauthenticated Privilege Escalation via Account Takeover
Published
2025-09-17
Title
Chained Quiz < 1.3.6 - Unauthenticated Insecure Direct Object Reference via Cookie
Published
2024-06-28
Title
Paid Memberships Pro < 3.0.5 - Unauthenticated Insecure Direct Object Reference to Order Status Update