The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwp_activate_addons_page_plugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate arbitrary plugins.
References
Link | Resource |
---|---|
https://affiliatewp.com/changelog/ | Release Notes |
https://www.wordfence.com/threat-intel/vulnerabilities/id/eab422b8-8cf5-441e-a21f-6a0e1b7642b2?source=cve | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Wordfence
Published: 2023-08-30T11:29:28.920Z
Updated: 2023-08-30T11:29:28.920Z
Reserved: 2023-08-29T13:40:35.456Z
Link: CVE-2023-4600
JSON object: View
NVD Information
Status : Modified
Published: 2023-08-30T12:15:09.817
Modified: 2023-11-07T04:22:47.293
Link: CVE-2023-4600
JSON object: View
Redhat Information
No data.
CWE
No CWE.