CVE-2026-57654
Deferred Deferred - Pending Action
Affiliate Broken Access Control in Affiliates Manager

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57654
EUVD
EUVD-2026-39769
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack affiliates_manager to 2.9.49 (inc)
patchstack affiliates_manager From 2.9.50 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the Broken Access Control vulnerability in Affiliates Manager versions 2.9.49 and below directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The WordPress Affiliates Manager Plugin, versions 2.9.49 and below, contains a Broken Access Control vulnerability (CVE-2026-57654). This means that unprivileged users can perform actions that should require higher privileges because of missing authorization, authentication, or nonce token checks.

This vulnerability is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS score of 6.5, indicating a moderate severity level.

The issue was reported by Jakub Herman and patched in version 2.9.50 of the plugin.

Impact Analysis

This vulnerability allows unprivileged users to perform higher-privileged actions that they should not be able to do. This can lead to unauthorized changes or actions within the Affiliates Manager plugin.

Since the vulnerability is often targeted in mass-exploit campaigns, it poses a risk of exploitation that could compromise the integrity of your affiliate management system.

Users are strongly advised to update to version 2.9.50 or later to mitigate these risks.

Detection Guidance

This vulnerability allows unprivileged users to perform higher-privileged actions due to missing authorization, authentication, or nonce token checks in the Affiliates Manager plugin versions 2.9.49 and below.

Detection would involve checking the version of the Affiliates Manager plugin installed on your WordPress system to see if it is 2.9.49 or below.

You can detect the plugin version by running commands such as:

  • Using WP-CLI: `wp plugin list | grep affiliates-manager` to check the installed version.
  • Manually inspecting the plugin's main file header in the WordPress plugins directory for the version number.

Additionally, monitoring logs for unauthorized privilege escalation attempts or unusual access patterns related to the Affiliates Manager plugin could help detect exploitation attempts.

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update the Affiliates Manager plugin to version 2.9.50 or later, where the issue has been patched.

If you are a Patchstack user, enabling auto-updates for vulnerable plugins can help ensure timely patching.

Since this vulnerability is often targeted in mass-exploit campaigns, prompt updating is critical to prevent unauthorized privilege escalation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart