CVE-2024-1851
affiliate-toolkit – WordPress Affiliate Plugin <= 3.5.4 - Missing Authorization via atkp_create_list
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists.
El complemento affiliate-toolkit – WordPress Affiliate Plugin para WordPress es vulnerable al acceso no autorizado debido a una falta de verificación de capacidad en la función atkp_create_list() en todas las versiones hasta la 3.5.4 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, realicen acciones no autorizadas, como la creación de listas de productos.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-23 CVE Reserved
- 2024-03-07 CVE Published
- 2024-03-08 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-862: Missing Authorization
CAPEC
References (2)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cservit Search vendor "Cservit" | Affiliate-toolkit – WordPress Affiliate Plugin Search vendor "Cservit" for product "Affiliate-toolkit – WordPress Affiliate Plugin" | <= 3.5.4 Search vendor "Cservit" for product "Affiliate-toolkit – WordPress Affiliate Plugin" and version " <= 3.5.4" | en |
Affected
| ||||||