CVE-2026-7559
Received Received - Intake

Unauthorized Access in Affilia WordPress Plugin

Vulnerability report for CVE-2026-7559, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve or reject affiliate referrals, credit commissions to affiliate wallets, delete referral records, and modify custom banner plugin options, enabling financial fraud. The nonce required to pass the only authentication check is embedded in every frontend page load via rtwalwm_global_params.rtwalwm_nonce, making it trivially accessible to any authenticated user regardless of role.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
affilia affiliate_program to 3.3.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Affilia – Affiliate Program & Referral Tracking plugin for WordPress has a vulnerability in all versions up to 3.3.3 where it fails to properly verify if a user is authorized to perform certain actions.

This flaw allows authenticated users with subscriber-level access or higher to perform unauthorized actions such as approving or rejecting affiliate referrals, crediting commissions to affiliate wallets, deleting referral records, and modifying custom banner plugin options.

The vulnerability exists because the nonce used for authentication is embedded in every frontend page load and is accessible to any authenticated user regardless of their role, making it easy to bypass proper authorization checks.

Impact Analysis

This vulnerability can lead to financial fraud by allowing unauthorized users to manipulate affiliate referrals and commissions.

  • Attackers can approve or reject affiliate referrals without permission.
  • They can credit commissions to affiliate wallets fraudulently.
  • Referral records can be deleted, potentially hiding fraudulent activity.
  • Custom banner plugin options can be modified, which might affect marketing or tracking.
Compliance Impact

The vulnerability allows authenticated users with subscriber-level access and above to perform unauthorized actions such as approving or rejecting affiliate referrals, crediting commissions, deleting referral records, and modifying plugin options. This can enable financial fraud.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart