CVE-2025-14361

Vulnerability

The WooCommerce Envato Affiliates plugin by AA-Team versions up to and including 1.2.1 suffers from a missing authorization vulnerability. The plugin fails to properly check permissions on certain functionality, allowing access to settings that should be restricted to administrators. This affects all installations using the plugin without the latest patch.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted requests to the vulnerable endpoints. No authentication or user interaction is required. The attack can be performed remotely over the network. The Patchstack advisory [1] indicates this vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites.

Impact

Successful exploitation allows an attacker to change plugin settings without authorization. This could lead to unauthorized modifications of the affiliate configuration, potentially redirecting commissions or altering integration with Envato. The CVSS score of 7.1 (High) reflects the moderate impact but ease of exploitation.

Mitigation

The vendor has not released a patched version as of the publication date. The recommended immediate action is to update the plugin if a fix becomes available. If unable to update, users should contact their hosting provider or web developer for assistance. The vulnerability is listed as expected to be exploited, so prompt action is advised [1].