Skip to main content

Affiliates Manager CVE-2026-52692

| EUVDEUVD-2026-36899 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-15 Patchstack GHSA-xffp-qm85-j89r
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress plugin endpoint discloses sensitive affiliate data with no integrity or availability impact, matching AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:27 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the Affiliates Manager WordPress plugin versions 2.9.50 and earlier allows remote attackers to retrieve confidential information without credentials. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact with no integrity or availability effects, and no public exploit identified at time of analysis. Disclosed by Patchstack, the issue affects WordPress sites running the wp.insider Affiliates Manager plugin used to manage affiliate marketing programs.

Technical ContextAI

Affiliates Manager is a WordPress plugin by wp.insider (CPE cpe:2.3:a:wp.insider:affiliates_manager) that handles affiliate registration, tracking, commissions, and payouts - meaning it stores PII, payment details, referral data, and affiliate account information. The root cause maps to CWE-201 (Insertion of Sensitive Information Into Sent Data), which typically arises when a plugin endpoint, REST route, or AJAX handler returns more data than it should, omits access control checks, or echoes server-side fields in responses intended for unauthenticated viewers. In WordPress plugins, this class of bug commonly stems from missing capability checks on admin-ajax.php actions, public REST API endpoints registered without permission_callback, or template logic that exposes object fields meant to be internal.

RemediationAI

Patch available per vendor advisory - upgrade the Affiliates Manager plugin to a version newer than 2.9.50 as soon as the wp.insider release fixing this issue is published; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/affiliates-manager/vulnerability/wordpress-affiliates-manager-plugin-2-9-50-sensitive-data-exposure-vulnerability for the exact fixed version. If immediate upgrade is not possible, compensating controls include deactivating the Affiliates Manager plugin entirely (trade-off: affiliate program functionality is offline), placing the affected WordPress site behind a WAF with virtual-patching rules from Patchstack or Wordfence targeting this CVE (trade-off: relies on signature coverage and adds an inline dependency), or restricting access to the plugin's admin-ajax actions and REST routes via web-server ACLs that limit which IPs may call the vulnerable endpoints (trade-off: may break legitimate affiliate signup or tracking flows). After patching, audit access logs for unusual GET/POST traffic to admin-ajax.php and /wp-json/ endpoints belonging to the plugin, and rotate any affiliate credentials or API keys that may have been disclosed.

Share

CVE-2026-52692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy