The vulnerability is a missing authorization flaw that allows attackers to bypass the intended access controls of the AnyTrack Affiliate Link Manager plugin. Because the plugin does not enforce proper permission checks, unauthenticated or low‑privileged users can reach administrative functions, potentially viewing or editing affiliate links and related data. Based on the description, it is inferred that these users can access admin routes that are not properly protected. This flaw is classified as CWE‑862 (Missing Authorization). The primary impact is unauthorized privileged access that could lead to data exposure or manipulation.

AnyTrack Affiliate Link Manager plugin versions up to and including 1.0.4 are affected. The issue is present from the earliest available release through 1.0.4, so any WordPress installation using this plugin at those versions must evaluate its exposure.

The CVSS score of 7.5 indicates a moderate to high severity. The EPSS score of less than 1% suggests that widespread exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, since the flaw grants elevated access to potentially sensitive configuration data, it remains a significant risk to sites that rely on the plugin. Exploitation would proceed by accessing admin routes that are not properly protected, typically requiring only the knowledge of the plugin’s backend URLs, which are often well known to an attacker.