Missing Authorization Issue in Woocommerce Envato Affiliates by AA-Team
CVE-2025-14361

7.1HIGH

Key Information:

Vendor: WordPress
Status: WooCommerce Envato Affiliates
Vendor: CVE Published:; 26 May 2026

What is CVE-2025-14361?

A missing authorization vulnerability exists in the Woocommerce Envato Affiliates plugin developed by AA-Team. This flaw allows unauthorized access to functionality which is not properly constrained by Access Control Lists (ACLs). As a result, attackers could exploit this issue to gain access to restricted areas or features within the plugin, posing a risk to the security of the affected website.

Affected Version(s)

Woocommerce Envato Affiliates <= 1.2.1

References

https://patchstack.com/database/wordpress/plugin/wooenvat...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
Dec 9, 2025

Credit

João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program

CVE-2025-14361 Data

JSON

WordPress

What is CVE-2025-14361?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit