CVE-2022-3898

2022-11-2921:15:11

CWE-352

[email protected]

web.nvd.nist.gov

wp affiliate platform

wordpress

cross-site request forgery

nonce validation

affiliates menu

unauthenticated attackers

affiliate records

site administrator

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

23.6%

JSON

The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for unauthenticated attackers to delete affiliate records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected configurations

Nvd

Node

wp_affiliate_platform_projectwp_affiliate_platformRange≤6.3.9wordpress

VendorProductVersionCPE
wp_affiliate_platform_projectwp_affiliate_platform*cpe:2.3:a:wp_affiliate_platform_project:wp_affiliate_platform:*:*:*:*:*:wordpress:*:*