Skip to main content

Affiliates Manager EUVDEUVD-2026-39769

| CVE-2026-57654 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-8ph7-m94w-6fwc
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible missing authorization requires a low-privilege authenticated user (PR:L); integrity impact is high with no confidentiality or availability consequence per the access-control-only nature of the flaw.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:09 vuln.today

DescriptionCVE.org

Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.

AnalysisAI

Broken Access Control in the Affiliates Manager WordPress plugin (versions <= 2.9.49) allows an authenticated low-privilege user to perform unauthorized affiliate management actions, achieving high integrity impact due to missing authorization checks (CWE-862). The CVSS vector (PR:L, AV:N, AC:L) confirms exploitation is network-accessible with minimal complexity, requiring only a valid low-privilege account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register low-privilege WordPress account
Exploit
Identify unprotected affiliate management endpoint
Execution
Send crafted HTTP request bypassing authorization check
Impact
Perform unauthorized affiliate management action with high integrity impact

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session on the target WordPress site with at least a low-privilege role - for example, a registered subscriber, customer, or affiliate account (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (Medium) reflects network accessibility (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), and high integrity impact (I:H) with no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing low-privilege WordPress account (e.g., a subscriber or affiliate account) and sends a crafted HTTP POST request to an affiliate management endpoint - such as an admin-ajax action or REST route - that lacks a capability check. Because the authorization gate is missing, the server processes the request as if the user held elevated permissions, allowing the attacker to modify affiliate records, approve payouts, or manipulate program settings. …
Remediation Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/affiliates-manager/vulnerability/wordpress-affiliates-manager-plugin-2-9-49-broken-access-control-vulnerability for the patched release version and update the plugin immediately once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy