CVE-2026-39715

Vulnerability

Overview

The AnyTrack Affiliate Link Manager plugin for WordPress, versions n/a through 1.5.5, suffers from a missing authorization vulnerability. This flaw stems from improperly configured access control security levels, specifically a broken access control issue where functions lack necessary authorization, authentication, or nonce token checks [1].

Attack

Vector

This vulnerability can be exploited without authentication, as the missing authorization check allows an attacker to perform higher-privileged actions. Successful exploitation does not require any special network position or user interaction. The vulnerability is particularly concerning because it is known to be used in mass-exploit campaigns, where attackers target thousands of websites simultaneously regardless of site size or popularity [1].

Impact

An attacker exploiting this vulnerability can bypass access controls to execute actions that should require higher privileges, potentially leading to unauthorized modification or access to affiliate link management data. The CVSS v3 score of 5.3 reflects this medium severity, though the ease of exploitation and potential for automated attacks amplifies the real-world risk [1].

Mitigation

As an immediate action, users should update the AnyTrack Affiliate Link Manager plugin to a patched version beyond 1.5.5. If updating is not possible, it is advised to contact your hosting provider or web developer for assistance in implementing appropriate access control measures or removing the vulnerable plugin [1].