CVE-2022-36284

MEDIUM

StoreApps Affiliate For WooCommerce <=4.7.0 - Info Disclosure

Title source: llm

Description

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.

References (2)

Core 2

Core References

Release Notes, Third Party Advisory x_refsource_confirm

https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt

Third Party Advisory x_refsource_confirm

https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change

Scores

CVSS v3 6.4

EPSS 0.0018

EPSS Percentile 39.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (2)

StoreApps/Affiliate For WooCommerce (WordPress plugin) <= 4.7.0 - 4.7.0

storeapps/affiliate_for_woocommerce < 4.7.0

Published Aug 05, 2022

Tracked Since Feb 18, 2026