CVE-2024-12336

Name of the Vulnerable Software and Affected Versions: The WC Affiliate – A Complete WooCommerce Affiliate Plugin versions up to, and including, 2.5.3

Description: The issue allows unauthorized access to data due to a missing capability check on the export all data function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII).

Recommendations: For versions up to, and including, 2.5.3, update to a version that includes a fix for the missing capability check on the export all data function. As a temporary workaround, consider restricting access to the export all data function to prevent unauthorized exposure of sensitive affiliate data.