Impact
An unauthenticated user can read protected data exposed by the Affiliates Manager plugin versions 2.9.50 or earlier. The vulnerability allows disclosure of sensitive information stored by the plugin, leading to confidentiality compromise without requiring authentication.
Affected Systems
WordPress sites that have installed the Affiliates Manager plugin (vendor wp.insider, product Affiliates Manager) with a version of 2.9.50 or earlier are affected.
Risk and Exploitability
The CVSS score of 7.5 indicates a moderate‑to‑high risk of exploitation. Because the EPSS score is listed as less than 1%, the likelihood of real‑world exploitation appears low at present, and the vulnerability is not currently cataloged in CISA KEV. The attack vector is inferred to be any unauthenticated web client able to trigger the plugin’s data‑display endpoints. An attacker with no credentials could thereby access confidential data stored by the plugin.
OpenCVE Enrichment