Unauthorized Access Vulnerability in Affilia – Affiliate Program & Referral Tracking for WordPress Plugin
CVE-2026-7559

4.3MEDIUM

What is CVE-2026-7559?

The Affilia – Affiliate Program & Referral Tracking plugin for WordPress has a serious security flaw that allows authenticated users with subscriber-level access or higher to manipulate affiliate referrals and related financial transactions. This vulnerability arises because the plugin fails to verify user authorizations correctly, leading to potential financial fraud. The nonce used for authentication is easily accessible to all authenticated users, regardless of their assigned roles, thereby allowing an attacker to approve or reject affiliate referrals, credit commissions, and alter various plugin settings without proper authorization.

Affected Version(s)

Affiliate Program & Referral Tracking for WooCommerce & WordPress – Affilia 0 <= 3.3.3

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

loris4py
.