Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-accessible missing authorization requires a low-privilege authenticated user (PR:L); integrity impact is high with no confidentiality or availability consequence per the access-control-only nature of the flaw.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.
AnalysisAI
Broken Access Control in the Affiliates Manager WordPress plugin (versions <= 2.9.49) allows an authenticated low-privilege user to perform unauthorized affiliate management actions, achieving high integrity impact due to missing authorization checks (CWE-862). The CVSS vector (PR:L, AV:N, AC:L) confirms exploitation is network-accessible with minimal complexity, requiring only a valid low-privilege account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session on the target WordPress site with at least a low-privilege role - for example, a registered subscriber, customer, or affiliate account (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (Medium) reflects network accessibility (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), and high integrity impact (I:H) with no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses an existing low-privilege WordPress account (e.g., a subscriber or affiliate account) and sends a crafted HTTP POST request to an affiliate management endpoint - such as an admin-ajax action or REST route - that lacks a capability check. Because the authorization gate is missing, the server processes the request as if the user held elevated permissions, allowing the attacker to modify affiliate records, approve payouts, or manipulate program settings. … |
| Remediation | Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/affiliates-manager/vulnerability/wordpress-affiliates-manager-plugin-2-9-49-broken-access-control-vulnerability for the patched release version and update the plugin immediately once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39769
GHSA-8ph7-m94w-6fwc