Vulnerabilites related to codexpert - WC Affiliate – A Complete WooCommerce Affiliate Plugin
CVE-2024-12336 (GCVE-0-2024-12336)
Vulnerability from cvelistv5
Published
2025-03-15 03:23
Modified
2025-03-17 21:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'export_all_data' function in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codexpert | WC Affiliate – A Complete WooCommerce Affiliate Plugin |
Version: * ≤ 2.5.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T21:25:18.503653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T21:28:04.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin",
"vendor": "codexpert",
"versions": [
{
"lessThanOrEqual": "2.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanh Nam Tran"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027export_all_data\u0027 function in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-15T03:23:24.688Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf0fb349-4cb8-4cf3-ae7c-5c4dcc6fd4f7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-affiliate/trunk/src/AJAX.php#L903"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-14T14:23:37.000+00:00",
"value": "Disclosed"
}
],
"title": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin \u003c= 2.5.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-all"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12336",
"datePublished": "2025-03-15T03:23:24.688Z",
"dateReserved": "2024-12-06T23:10:48.527Z",
"dateUpdated": "2025-03-17T21:28:04.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12334 (GCVE-0-2024-12334)
Vulnerability from cvelistv5
Published
2025-01-26 11:09
Modified
2025-01-27 14:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codexpert | WC Affiliate – A Complete WooCommerce Affiliate Plugin |
Version: * ≤ 2.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:39:56.717988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T14:52:49.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin",
"vendor": "codexpert",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dale Mavers"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-26T11:09:45.338Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efca1ee2-2038-440e-941c-22533b4d833b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3224312/wc-affiliate"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-09T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-25T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WC Affiliate \u2013 A Complete WooCommerce Affiliate Plugin \u003c= 2.4 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12334",
"datePublished": "2025-01-26T11:09:45.338Z",
"dateReserved": "2024-12-06T22:41:31.369Z",
"dateUpdated": "2025-01-27T14:52:49.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}