Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress plugin endpoint discloses sensitive affiliate data with no integrity or availability impact, matching AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the Affiliates Manager WordPress plugin versions 2.9.50 and earlier allows remote attackers to retrieve confidential information without credentials. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact with no integrity or availability effects, and no public exploit identified at time of analysis. Disclosed by Patchstack, the issue affects WordPress sites running the wp.insider Affiliates Manager plugin used to manage affiliate marketing programs.
Technical ContextAI
Affiliates Manager is a WordPress plugin by wp.insider (CPE cpe:2.3:a:wp.insider:affiliates_manager) that handles affiliate registration, tracking, commissions, and payouts - meaning it stores PII, payment details, referral data, and affiliate account information. The root cause maps to CWE-201 (Insertion of Sensitive Information Into Sent Data), which typically arises when a plugin endpoint, REST route, or AJAX handler returns more data than it should, omits access control checks, or echoes server-side fields in responses intended for unauthenticated viewers. In WordPress plugins, this class of bug commonly stems from missing capability checks on admin-ajax.php actions, public REST API endpoints registered without permission_callback, or template logic that exposes object fields meant to be internal.
RemediationAI
Patch available per vendor advisory - upgrade the Affiliates Manager plugin to a version newer than 2.9.50 as soon as the wp.insider release fixing this issue is published; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/affiliates-manager/vulnerability/wordpress-affiliates-manager-plugin-2-9-50-sensitive-data-exposure-vulnerability for the exact fixed version. If immediate upgrade is not possible, compensating controls include deactivating the Affiliates Manager plugin entirely (trade-off: affiliate program functionality is offline), placing the affected WordPress site behind a WAF with virtual-patching rules from Patchstack or Wordfence targeting this CVE (trade-off: relies on signature coverage and adds an inline dependency), or restricting access to the plugin's admin-ajax actions and REST routes via web-server ACLs that limit which IPs may call the vulnerable endpoints (trade-off: may break legitimate affiliate signup or tracking flows). After patching, audit access logs for unusual GET/POST traffic to admin-ajax.php and /wp-json/ endpoints belonging to the plugin, and rotate any affiliate credentials or API keys that may have been disclosed.
More in Affiliates Manager
View allThe Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could all
The Affiliates Manager WordPress plugin before 2.8.7 does not validate the orderby parameter before using it in an SQL s
Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager plugin <= 2.9.20 versio
The Affiliates Manager WordPress plugin before 2.9.14 does not sanitise and escape some of its settings, which could all
The affiliates-manager plugin before 2.6.6 for WordPress has CSRF. Rated high severity (CVSS 8.8), this vulnerability is
The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and inclu
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36899
GHSA-xffp-qm85-j89r