Description
Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1.
Published: 2026-05-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in the WordPress Woocommerce Envato Affiliates plugin allows users to access functionality that is not properly constrained by access control lists. Because the plugin’s settings interface can be reached without the appropriate privileges, an attacker may alter affiliate configuration parameters, potentially redirecting traffic or modifying commission structures.

Affected Systems

The vulnerability affects the AA‑Team"s Woocommerce Envato Affiliates plugin from its earliest release through version 1.2.1. Any WordPress installation that has a plugin instance of this product and one of these versions is exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. No EPSS data is available, and the vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. The likely attack path is via the plugin’s settings page, which can be accessed by any user who can reach the WordPress admin area, allowing an attacker to modify the plugin configuration without proper authorization.

Generated by OpenCVE AI on May 26, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest release that removes the missing authorization flaw.
  • Enforce strict access controls so that only administrator accounts can view or alter the plugin’s settings page.
  • Audit and monitor WordPress dashboard activity for unauthorized changes to the plugin’s configuration, and enable logging to track such incidents.

Generated by OpenCVE AI on May 26, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Aa-team
Aa-team woocommerce Envato Affiliates
Wordpress
Wordpress wordpress
Vendors & Products Aa-team
Aa-team woocommerce Envato Affiliates
Wordpress
Wordpress wordpress

Tue, 26 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1.
Title WordPress Woocommerce Envato Affiliates plugin <= 1.2.1 - Settings Change vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Aa-team Woocommerce Envato Affiliates
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:42:23.535Z

Reserved: 2025-12-09T16:47:38.939Z

Link: CVE-2025-14361

cve-icon Vulnrichment

Updated: 2026-05-27T10:42:17.400Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T21:16:35.313

Modified: 2026-05-27T14:50:47.627

Link: CVE-2025-14361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T22:30:18Z

Weaknesses