6.5
CVE-2022-36284
- EPSS 0.51%
- Veröffentlicht 05.08.2022 16:15:14
- Zuletzt bearbeitet 20.02.2025 21:15:23
- Quelle audit@patchstack.com
- CVE-Watchlists
- Unerledigt
LoginWordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change
Affiliate For WooCommerce premium <= 4.7.0 - Authenticated Insecure Direct Object Reference
Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.
Mögliche Gegenmaßnahme
Affiliate For WooCommerce: Update to version 4.8.0, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Storeapps ≫ Affiliate For Woocommerce SwPlatformwordpress Version <= 4.7.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Affiliate For WooCommerce
Version
*-4.7.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.51% | 0.392 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
| audit@patchstack.com | 6.4 | 1.6 | 4.7 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt
https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change
https://www.wordfence.com/threat-intel/vulnerabilities/id/b6c3daf6-2225-4929-8e76-169d680118ba