Search
Find a vulnerability
Search criteria
4 vulnerabilities found for Affiliate For WooCommerce (WordPress plugin) by StoreApps
CVE-2022-36284 (GCVE-0-2022-36284)
Vulnerability from nvd – Published: 2022-08-05 15:08 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change
Summary
Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Insecure Direct Object References (IDOR)
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://dzv365zjfbd8v.cloudfront.net/changelogs/a… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/aff… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| StoreApps | Affiliate For WooCommerce (WordPress plugin) |
Affected:
<= 4.7.0 , ≤ 4.7.0
(custom)
|
Date Public
2022-08-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:04.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36284",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:27:30.616774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:13:40.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Affiliate For WooCommerce (WordPress plugin)",
"vendor": "StoreApps",
"versions": [
{
"lessThanOrEqual": "4.7.0",
"status": "affected",
"version": "\u003c= 4.7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"datePublic": "2022-08-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object References (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:44.759Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 4.8.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Affiliate For WooCommerce premium plugin \u003c= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-01T23:04:00.000Z",
"ID": "CVE-2022-36284",
"STATE": "PUBLIC",
"TITLE": "WordPress Affiliate For WooCommerce premium plugin \u003c= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Affiliate For WooCommerce (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 4.7.0",
"version_value": "4.7.0"
}
]
}
}
]
},
"vendor_name": "StoreApps"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object References (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt",
"refsource": "CONFIRM",
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
},
{
"name": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 4.8.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36284",
"datePublished": "2022-08-05T15:08:51.582Z",
"dateReserved": "2022-07-22T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:44.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25649 (GCVE-0-2022-25649)
Vulnerability from nvd – Published: 2022-08-05 15:07 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Multiple Improper Access Control vulnerabilities
Summary
Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/aff… | x_refsource_CONFIRM |
| https://dzv365zjfbd8v.cloudfront.net/changelogs/a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| StoreApps | Affiliate For WooCommerce (WordPress plugin) |
Affected:
<= 4.7.0 , ≤ 4.7.0
(custom)
|
Date Public
2022-08-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:50.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-multiple-improper-access-control-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:27:40.138650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:14:11.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Affiliate For WooCommerce (WordPress plugin)",
"vendor": "StoreApps",
"versions": [
{
"lessThanOrEqual": "4.7.0",
"status": "affected",
"version": "\u003c= 4.7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Gennady Kovshenin (Patchstack Alliance)"
}
],
"datePublic": "2022-08-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:39.241Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-multiple-improper-access-control-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 4.8.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Affiliate For WooCommerce premium plugin \u003c= 4.7.0 - Multiple Improper Access Control vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-01T21:57:00.000Z",
"ID": "CVE-2022-25649",
"STATE": "PUBLIC",
"TITLE": "WordPress Affiliate For WooCommerce premium plugin \u003c= 4.7.0 - Multiple Improper Access Control vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Affiliate For WooCommerce (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 4.7.0",
"version_value": "4.7.0"
}
]
}
}
]
},
"vendor_name": "StoreApps"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Gennady Kovshenin (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-multiple-improper-access-control-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-multiple-improper-access-control-vulnerabilities"
},
{
"name": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt",
"refsource": "CONFIRM",
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 4.8.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-25649",
"datePublished": "2022-08-05T15:07:52.745Z",
"dateReserved": "2022-06-08T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:39.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-36284 (GCVE-0-2022-36284)
Vulnerability from cvelistv5 – Published: 2022-08-05 15:08 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change
Summary
Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Insecure Direct Object References (IDOR)
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://dzv365zjfbd8v.cloudfront.net/changelogs/a… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/aff… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| StoreApps | Affiliate For WooCommerce (WordPress plugin) |
Affected:
<= 4.7.0 , ≤ 4.7.0
(custom)
|
Date Public
2022-08-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:04.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36284",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:27:30.616774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:13:40.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Affiliate For WooCommerce (WordPress plugin)",
"vendor": "StoreApps",
"versions": [
{
"lessThanOrEqual": "4.7.0",
"status": "affected",
"version": "\u003c= 4.7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"datePublic": "2022-08-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object References (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:44.759Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 4.8.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Affiliate For WooCommerce premium plugin \u003c= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-01T23:04:00.000Z",
"ID": "CVE-2022-36284",
"STATE": "PUBLIC",
"TITLE": "WordPress Affiliate For WooCommerce premium plugin \u003c= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Affiliate For WooCommerce (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 4.7.0",
"version_value": "4.7.0"
}
]
}
}
]
},
"vendor_name": "StoreApps"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object References (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt",
"refsource": "CONFIRM",
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
},
{
"name": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 4.8.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36284",
"datePublished": "2022-08-05T15:08:51.582Z",
"dateReserved": "2022-07-22T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:44.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25649 (GCVE-0-2022-25649)
Vulnerability from cvelistv5 – Published: 2022-08-05 15:07 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Multiple Improper Access Control vulnerabilities
Summary
Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/aff… | x_refsource_CONFIRM |
| https://dzv365zjfbd8v.cloudfront.net/changelogs/a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| StoreApps | Affiliate For WooCommerce (WordPress plugin) |
Affected:
<= 4.7.0 , ≤ 4.7.0
(custom)
|
Date Public
2022-08-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:50.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-multiple-improper-access-control-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:27:40.138650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:14:11.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Affiliate For WooCommerce (WordPress plugin)",
"vendor": "StoreApps",
"versions": [
{
"lessThanOrEqual": "4.7.0",
"status": "affected",
"version": "\u003c= 4.7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Gennady Kovshenin (Patchstack Alliance)"
}
],
"datePublic": "2022-08-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:39.241Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-multiple-improper-access-control-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 4.8.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Affiliate For WooCommerce premium plugin \u003c= 4.7.0 - Multiple Improper Access Control vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-01T21:57:00.000Z",
"ID": "CVE-2022-25649",
"STATE": "PUBLIC",
"TITLE": "WordPress Affiliate For WooCommerce premium plugin \u003c= 4.7.0 - Multiple Improper Access Control vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Affiliate For WooCommerce (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 4.7.0",
"version_value": "4.7.0"
}
]
}
}
]
},
"vendor_name": "StoreApps"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Gennady Kovshenin (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-multiple-improper-access-control-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-multiple-improper-access-control-vulnerabilities"
},
{
"name": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt",
"refsource": "CONFIRM",
"url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 4.8.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-25649",
"datePublished": "2022-08-05T15:07:52.745Z",
"dateReserved": "2022-06-08T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:39.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}