This vulnerability in Affiliates Manager (wp.insider) versions up to 2.9.49 is due to missing authorization checks (CWE-862), resulting in broken access control. The CVSS 3.1 score is 6.5 (medium), with an attack vector over the network, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. The lack of authorization may allow an attacker with some privileges to perform unauthorized actions affecting data integrity. No vendor advisory or patch is currently available, and no known exploits are reported in the wild.

An attacker with low privileges can exploit the missing authorization controls to perform unauthorized actions that compromise the integrity of the Affiliates Manager plugin data or functionality. There is no impact on confidentiality or availability. The vulnerability does not require user interaction and can be exploited remotely over the network.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected plugin features to trusted users only and monitor for suspicious activity related to privilege misuse. Avoid granting unnecessary privileges to users within the Affiliates Manager plugin.