The WordPress Affiliates Manager plugin through version 2.9.49 contains a broken access control flaw. The plugin fails to enforce proper permission checks on privileged operations, allowing an attacker who can send crafted requests to the plugin’s endpoints to modify or create affiliate records. This can compromise data confidentiality and integrity, and in some configurations could elevate the attacker's privileges to administrative levels within the WordPress installation.

Any WordPress website that has installed the Affiliates Manager plugin (wp.insider: Affiliates Manager) version 2.9.49 or earlier is affected. This includes sites using the plugin directly, or any installations that have inherited the plugin through a theme or another plugin that bundles it.

The vulnerability carries a CVSS score of 6.5, indicating a medium severity risk. The EPSS score is not available, so the likelihood of exploitation is uncertain; however, the flaw is not included in the CISA KEV catalog. Attackers can potentially exploit the issue remotely via the web interface, provided they can craft a request to the vulnerable plugin’s endpoints. The lack of known public exploits suggests that exploitation would require custom development, but the medium severity score warrants prompt attention.