The affiliate-toolkit WordPress plugin suffers from a missing capability check (CWE-862) in the atkp_import_product() function, which leads to unauthorized access. Authenticated users with low privileges (subscriber-level and above) can exploit this flaw to import products without proper authorization. The vulnerability affects all versions up to 3.5.4 and has a CVSS 3.1 base score of 4.3, reflecting a medium severity level. No official patch or remediation guidance has been provided yet.

An attacker with subscriber-level or higher access can perform unauthorized product import actions within the plugin, potentially leading to unauthorized data manipulation or content injection. The vulnerability does not impact confidentiality or availability but does affect integrity by allowing unauthorized modifications.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict user roles to trusted users only and monitor for suspicious activity related to product imports within the plugin. Avoid granting subscriber-level access to untrusted users.