WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change
CVE-2022-36284

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Affiliate For WooCommerce (WordPress Plugin)
Vendor: CVE Published:; 5 August 2022

Summary

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.

Affected Version(s)

Affiliate For WooCommerce (WordPress plugin) <= 4.7.0 <= 4.7.0

References

https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate...

x_refsource_CONFIRM

https://patchstack.com/database/vulnerability/affiliate-f...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 5, 2022
Vulnerability Reserved
Jul 22, 2022

Credit

Vulnerability discovered by Vlad Vector (Patchstack)