CVE-2022-36284

2022-08-0516:15:14

CWE-639

[email protected]

web.nvd.nist.gov

cve-2022-36284

idor

vulnerability

storeapps affiliate

woocommerce

wordpress

paypal

woocommerce paypal payments plugin

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

19.5%

JSON

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.

Affected configurations

Vulners

NVD

Node

storeappsaffiliate_for_woocommerceRange≤4.7.0

VendorProductVersionCPE
storeappsaffiliate_for_woocommerce*cpe:2.3:a:storeapps:affiliate_for_woocommerce:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
storeapps	affiliate_for_woocommerce	*	cpe:2.3:a:storeapps:affiliate_for_woocommerce::::::::

CNA Affected

[
  {
    "product": "Affiliate For WooCommerce (WordPress plugin)",
    "vendor": "StoreApps",
    "versions": [
      {
        "lessThanOrEqual": "4.7.0",
        "status": "affected",
        "version": "<= 4.7.0",
        "versionType": "custom"
      }
    ]
  }
]

References

dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt

patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change