Broken Access Control in Affiliates Manager by WordPress
CVE-2026-57654

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Affiliates Manager
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-57654?

The Affiliates Manager plugin for WordPress is susceptible to broken access control, allowing unauthorized users to access sensitive functionalities. This vulnerability affects versions 2.9.49 and below, potentially enabling malicious actors to exploit weaknesses in user permissions and carry out unauthorized actions within the plugin. It is essential for users to update to a secure version to mitigate the risks associated with this vulnerability.

Affected Version(s)

Affiliates Manager <= 2.9.49

References

https://patchstack.com/database/wordpress/plugin/affiliat...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 25, 2026

Credit

Jakub Herman | Patchstack Bug Bounty Program

CVE-2026-57654 Data

JSON