CVE-2026-57654
Deferred Deferred - Pending Action

Affiliate Broken Access Control in Affiliates Manager

Vulnerability report for CVE-2026-57654, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-29

Assigner: Patchstack

Description

Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
patchstack affiliates_manager to 2.9.49 (inc)
patchstack affiliates_manager From 2.9.50 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress Affiliates Manager Plugin, versions 2.9.49 and below, contains a Broken Access Control vulnerability (CVE-2026-57654). This means that unprivileged users can perform actions that should require higher privileges because of missing authorization, authentication, or nonce token checks.

This vulnerability is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS score of 6.5, indicating a moderate severity level.

The issue was reported by Jakub Herman and patched in version 2.9.50 of the plugin.

Detection Guidance

This vulnerability allows unprivileged users to perform higher-privileged actions due to missing authorization, authentication, or nonce token checks in the Affiliates Manager plugin versions 2.9.49 and below.

Detection would involve checking the version of the Affiliates Manager plugin installed on your WordPress system to see if it is 2.9.49 or below.

You can detect the plugin version by running commands such as:

  • Using WP-CLI: `wp plugin list | grep affiliates-manager` to check the installed version.
  • Manually inspecting the plugin's main file header in the WordPress plugins directory for the version number.

Additionally, monitoring logs for unauthorized privilege escalation attempts or unusual access patterns related to the Affiliates Manager plugin could help detect exploitation attempts.

Impact Analysis

This vulnerability allows unprivileged users to perform higher-privileged actions that they should not be able to do. This can lead to unauthorized changes or actions within the Affiliates Manager plugin.

Since the vulnerability is often targeted in mass-exploit campaigns, it poses a risk of exploitation that could compromise the integrity of your affiliate management system.

Users are strongly advised to update to version 2.9.50 or later to mitigate these risks.

Compliance Impact

The provided information does not specify how the Broken Access Control vulnerability in Affiliates Manager versions 2.9.49 and below directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update the Affiliates Manager plugin to version 2.9.50 or later, where the issue has been patched.

If you are a Patchstack user, enabling auto-updates for vulnerable plugins can help ensure timely patching.

Since this vulnerability is often targeted in mass-exploit campaigns, prompt updating is critical to prevent unauthorized privilege escalation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart