CVE-2024-2298
affiliate-toolkit – WordPress Affiliate Plugin <= 3.5.4 - Missing Authorization via atkp_import_product
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products.
El complemento affiliate-toolkit – WordPress Affiliate Plugin para WordPress es vulnerable al acceso no autorizado debido a una falta de verificación de capacidad en la función atkp_import_product() en todas las versiones hasta la 3.5.4 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, realicen acciones no autorizadas, como la creación de productos de importación.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-17 First Exploit
- 2024-03-07 CVE Reserved
- 2024-03-07 CVE Published
- 2024-03-08 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (3)
| URL | Date | SRC |
|---|---|---|
| https://github.com/keru6k/CVE-2024-22983 | 2024-02-17 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cservit Search vendor "Cservit" | Affiliate-toolkit – WordPress Affiliate Plugin Search vendor "Cservit" for product "Affiliate-toolkit – WordPress Affiliate Plugin" | <= 3.5.4 Search vendor "Cservit" for product "Affiliate-toolkit – WordPress Affiliate Plugin" and version " <= 3.5.4" | en |
Affected
| ||||||