WooCommerce Cloak Affiliate Links < 1.0.34 – Missing Authorization to Unauthenticated Permalink Modification | CVE 2024-1308 | Plugin Vulnerabilities

Description

The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalink_settings_save' function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to modify the affiliate permalink base, driving traffic to malicious sites via the plugin's affiliate links.

Affects Plugins

woocommerce-cloak-affiliate-links

Fixed in 1.0.34

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3c731e39-998e-44d2-8cf9-4d9c39731c5d

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

fc3a99c5-0713-46d0-9f42-be69a7a04beb

Timeline

Publicly Published

2024-03-20 (about 2 years ago)

Added

2024-03-20 (about 2 years ago)

Last Updated

2024-03-20 (about 2 years ago)

Other

Published

Title

Published

2024-04-26

Title

Analytify < 5.2.4 - Missing Authorization to Unauthenticated Google Analytics Tracking ID Modification

Published

2020-09-28

Title

WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure

Published

2020-09-22

Title

Coditor <= 1.1 - Arbitrary File Edition, Deletion and Internal Directory Listing in wp-content

Published

2025-02-19

Title

Prime Addons for Elementor < 2.0.2 - Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode

Published

2021-12-27

Title

WP Post Page Clone < 1.2 - Unauthorised Post Access