Description
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated user can read protected data exposed by the Affiliates Manager plugin versions 2.9.50 or earlier. The vulnerability allows disclosure of sensitive information stored by the plugin, leading to confidentiality compromise without requiring authentication.

Affected Systems

WordPress sites that have installed the Affiliates Manager plugin (vendor wp.insider, product Affiliates Manager) with a version of 2.9.50 or earlier are affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate‑to‑high risk of exploitation. Because the EPSS score is listed as less than 1%, the likelihood of real‑world exploitation appears low at present, and the vulnerability is not currently cataloged in CISA KEV. The attack vector is inferred to be any unauthenticated web client able to trigger the plugin’s data‑display endpoints. An attacker with no credentials could thereby access confidential data stored by the plugin.

Generated by OpenCVE AI on June 18, 2026 at 00:23 UTC.

Remediation

Vendor Solution

Update the WordPress Affiliates Manager Plugin to the latest available version (at least 2.9.51).


OpenCVE Recommended Actions

  • Apply the latest version of the Affiliates Manager plugin (at least 2.9.51).
  • If an immediate update is not possible, disable the plugin or block HTTP access to its admin pages until the patch is deployed.
  • Verify that no sensitive files remain in the plugin directory and review the configuration to remove unnecessary data exposure.

Generated by OpenCVE AI on June 18, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp.insider
Wp.insider affiliates Manager
Vendors & Products Wordpress
Wordpress wordpress
Wp.insider
Wp.insider affiliates Manager

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
Title WordPress Affiliates Manager plugin <= 2.9.50 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Wordpress Wordpress
Wp.insider Affiliates Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:17:07.933Z

Reserved: 2026-06-08T10:11:03.695Z

Link: CVE-2026-52692

cve-icon Vulnrichment

Updated: 2026-06-16T01:17:03.310Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:23.853

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-52692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:36Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data