Skip to main content

Affilia WordPress Plugin CVE-2026-7559

| EUVDEUVD-2026-43140 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-gm5w-p3xr-7gh2
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
7.1 HIGH

PR:L confirmed by subscriber-level requirement; I:H reflects direct financial fraud via commission manipulation; A:L for referral record deletion capability.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:16 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Affilia - Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve or reject affiliate referrals, credit commissions to affiliate wallets, delete referral records, and modify custom banner plugin options, enabling financial fraud. The nonce required to pass the only authentication check is embedded in every frontend page load via rtwalwm_global_params.rtwalwm_nonce, making it trivially accessible to any authenticated user regardless of role.

AnalysisAI

Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global rtwalwm_global_params.rtwalwm_nonce, making role-based access enforcement trivially bypassable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target site
Delivery
Load any frontend page while authenticated
Exploit
Extract nonce from rtwalwm_global_params JavaScript object
Execution
Craft AJAX request targeting admin action handlers
Persist
Approve fraudulent referrals and credit commissions to attacker wallet
Impact
Withdraw fraudulent commission payouts

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account at subscriber level or above on the target site - anonymous unauthenticated access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS score of 4.3 (I:L) underrepresents the business impact: the ability to approve fraudulent referrals and directly credit commissions to attacker-controlled affiliate wallets constitutes high-integrity financial fraud, not merely low-integrity data modification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WooCommerce site running Affilia 3.3.3, then loads any public page to extract the nonce value from the `rtwalwm_global_params.rtwalwm_nonce` JavaScript variable in the page source. Using the extracted nonce, the attacker sends crafted AJAX POST requests to `wp-admin/admin-ajax.php` targeting the vulnerable action handlers, approving their own fraudulent referrals and crediting commissions directly to their affiliate wallet - effectively stealing payouts from the merchant without any administrator interaction. …
Remediation A code changeset was committed to the plugin's WordPress Subversion repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3542527%40affiliaa-affiliate-program-with-mlm&new=3542527%40affiliaa-affiliate-program-with-mlm), indicating an upstream fix exists; however, a formally released patched version number is not confirmed in the available data - verify via the WordPress plugin repository whether a version beyond 3.3.3 has been released and update immediately if so. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy