CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0859 – Affiliates Manager <= 2.9.34 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-0859
The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the process_bulk_action function in ListAffiliatesTable.php. This makes it possible for unauthenticated attackers to delete affiliates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Affiliates Manager para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 2.9.34 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función Process_bulk_action en ListAffiliatesTable.php. • https://plugins.trac.wordpress.org/browser/affiliates-manager/trunk/classes/ListAffiliatesTable.php https://plugins.trac.wordpress.org/changeset/3028484/affiliates-manager/trunk?contextall=1&old=3015278&old_path=%2Faffiliates-manager%2Ftrunk https://www.wordfence.com/threat-intel/vulnerabilities/id/433a03c2-09fd-4ce6-843b-55ad09f4b4f7?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52130 – WordPress Affiliates Manager Plugin <= 2.9.31 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-52130
Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager.This issue affects Affiliates Manager: from n/a through 2.9.31. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en wp.Insider, wpaffiliatemgr Affiliates Manager. Este problema afecta a Affiliates Manager: desde n/a hasta 2.9.31. The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.31. This is due to missing or incorrect nonce validation on multiple AJAX functions. • https://patchstack.com/database/vulnerability/affiliates-manager/wordpress-affiliates-manager-plugin-2-9-31-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52148 – WordPress Affiliates Manager Plugin <= 2.9.30 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-52148
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager.This issue affects Affiliates Manager: from n/a through 2.9.30. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en wp.Insider, wpaffiliatemgr Affiliates Manager. Este problema afecta a Affiliates Manager: desde n/a hasta 2.9.30. The Affiliates Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.30 via the plugin's log files. This makes it possible for unauthenticated attackers to extract sensitive data including plugin configuration and debug information. • https://patchstack.com/database/vulnerability/affiliates-manager/wordpress-affiliates-manager-plugin-2-9-30-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28986 – WordPress Affiliates Manager Plugin <= 2.9.20 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-28986
Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager plugin <= 2.9.20 versions. The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.20. This is due to missing nonce validation on the process_bulk_action() function. This makes it possible for unauthenticated attackers to perform bulk modifications of commissions and clicks via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/affiliates-manager/wordpress-affiliates-manager-plugin-2-9-20-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2798 – Affiliates Manager < 2.9.14 - Affiliate CSV Injection
https://notcve.org/view.php?id=CVE-2022-2798
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data El plugin Affiliates Manager de WordPress versiones anteriores a 2.9.14, no comprueba ni sanea los datos de los afiliados, lo que podría permitir a usuarios que sean registrados como afiliados llevar a cabo ataques de inyección CSV contra un administrador que exporte los datos The Affiliates Manager plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 2.9.13. This allows [authentication level?] attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •