CVE-2023-4600

MEDIUM

AffiliateWP <2.14.0 - Privilege Escalation

Title source: llm

Description

The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwp_activate_addons_page_plugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate arbitrary plugins.

References (2)

[Release Notes] https://affiliatewp.com/changelog/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/eab422b8-8cf5-441e-a21f-6a0e1b7642b2?source=cve

Scores

CVSS v3 4.3

EPSS 0.0007

EPSS Percentile 21.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

Status published

Affected Products (1)

affiliatewp/affiliatewp < 2.14.0

Timeline

Published Aug 30, 2023

Tracked Since Feb 18, 2026