CVE-2022-0398

low-risk
Published 2022-04-25

The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website

Do I need to act?

-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Thirstyaffiliates Affiliate Link Manager

Affected Vendors

Caseproof

References (2)

Exploit https://wpscan.com/vulnerability/21aec131-91ff-4300-ac7a-0bf31d6b2b24
Exploit https://wpscan.com/vulnerability/21aec131-91ff-4300-ac7a-0bf31d6b2b24
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal