CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36284 – WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change
https://notcve.org/view.php?id=CVE-2022-36284
01 Aug 2022 — Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page. Una vulnerabilidad de IDOR autenticado en el plugin StoreApps Affiliate For WooCommerce premium versiones anteriores a 4.7.0 incluyéndola, en WordPress permite a un atacante cambiar el correo electrónico de PayPal. El plugin WooCo... • https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25649 – WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Multiple Improper Access Control vulnerabilities
https://notcve.org/view.php?id=CVE-2022-25649
01 Aug 2022 — Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress. Múltiples vulnerabilidades de Control de Acceso Inapropiado en el plugin premium StoreApps Affiliate For WooCommerce versiones anteriores a 4.7.0 incluyéndola, en WordPress The Affiliate For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability checks function in versions up to, and including, 4.7.0. This makes it possible for authenticate... • https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •