{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69346", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:28.143Z", "datePublished": "2026-01-06T16:36:39.417Z", "dateUpdated": "2026-04-28T16:14:38.193Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "affiliatex", "product": "AffiliateX", "vendor": "WPCenter", "versions": [{"changes": [{"at": "1.4.0", "status": "unaffected"}], "lessThanOrEqual": "1.3.9.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:14.211Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AffiliateX: from n/a through <= 1.3.9.3.</p>"}], "value": "Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:38.193Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/affiliatex/vulnerability/wordpress-affiliatex-plugin-1-3-9-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress AffiliateX plugin <= 1.3.9.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T19:47:24.727783Z", "id": "CVE-2025-69346", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:51:52.854Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69346", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T19:47:24.727783Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:47:57.436Z"}}], "cna": {"title": "WordPress AffiliateX plugin <= 1.3.9.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPCenter", "product": "AffiliateX", "versions": [{"status": "affected", "changes": [{"at": "1.4.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.9.3"}], "packageName": "affiliatex", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:14.211Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/affiliatex/vulnerability/wordpress-affiliatex-plugin-1-3-9-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AffiliateX: from n/a through <= 1.3.9.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:00.921Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69346", "state": "PUBLISHED", "dateUpdated": "2026-04-27T19:51:52.854Z", "dateReserved": "2025-12-31T20:12:28.143Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:39.417Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3."}], "id": "CVE-2025-69346", "lastModified": "2026-04-27T21:16:24.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-06T17:15:47.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/affiliatex/vulnerability/wordpress-affiliatex-plugin-1-3-9-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:23:23.300546+00:00", "value": {"mitigation_remediation": ["Upgrade the AffiliateX plugin to a version newer than 1.3.9.3", "If an upgrade cannot be performed immediately, disable the plugin for unauthenticated users and restrict its administration pages to administrator and editor roles only", "Monitor site logs for unexpected access to plugin endpoints and for unauthorized changes to plugin settings or data"], "summary": {"action": "Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the WPCenter AffiliateX plugin from the earliest releases through version 1.3.9.3 are affected. Any site using the plugin at or below this version, regardless of the site\u2019s overall WordPress version, is vulnerable.", "description_and_impact": "The AffiliateX plugin for WordPress contains a missing authorization flaw that permits an attacker to bypass the intended access restrictions and use privileged features or view sensitive content. This vulnerability maps to CWE\u2011862, where insufficient validation of user privileges enables actions beyond the user\u2019s role. The flaw allows unauthorized users to alter plugin settings, read or delete data, and otherwise compromise the website\u2019s configuration and content.", "risk_and_exploitability": "With a CVSS score of 4.3, the vulnerability is considered medium severity, yet the EPSS score of less than 1% indicates that exploitation in the wild is unlikely. The plugin is not listed in the CISA KEV catalog, so no large\u2011scale public exploits are known. Nevertheless an attacker who can reach the plugin\u2019s administrative interfaces or unauthorized endpoints\u2014especially on a site that grants broader privileges to untrusted users\u2014can exploit the flaw. The primary risk is unauthorized modification of configuration, leakage of sensitive data, and potential disruption of site functionality."}}}}, "created": "2026-01-07T10:08:37.479160+00:00", "updated": "2026-04-28T18:30:37.332049+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}