Description

WordPress Plugin WP Affiliate Disclosure is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently perform a variety of the plugin's actions or even take over a website. WordPress Plugin WP Affiliate Disclosure version 1.1.3 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.1.4 or latest

References

https://www.pluginvulnerabilities.com/2019/02/26/hackers-are-probably-already-exploiting-this-authenticated-option-update-vulnerability-just-fixed-in-freemius/

https://github.com/Freemius/wordpress-sdk/commit/50a7ca3d921d59e1d2b39bb6ab3c6c7efde494b8

https://plugins.trac.wordpress.org/changeset/2039381/

Related Vulnerabilities

WordPress Plugin Video Chat Multiple Cross-Site Scripting Vulnerabilities (1.4.1)

WordPress Plugin Paid Memberships Pro-Restrict Member Access to Content, Courses, Communities-Free or Paid Subscriptions Cross-Site Scripting (2.5)

WordPress Plugin Frontend File Manager Arbitrary File Upload (3.7)

WordPress Plugin Zlick Paywall Security Bypass (2.2.1)

MediaWiki Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2022-29904)

Severity

High

Classification

CWE-264 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass