{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39715", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:29.177Z", "datePublished": "2026-04-08T08:30:49.638Z", "dateUpdated": "2026-04-08T08:30:49.638Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "anytrack-affiliate-link-manager", "product": "AnyTrack Affiliate Link Manager", "vendor": "AnyTrack", "versions": [{"lessThanOrEqual": "1.5.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:46.127Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.5.5.</p>"}], "value": "Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.5.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:49.638Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/anytrack-affiliate-link-manager/vulnerability/wordpress-anytrack-affiliate-link-manager-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress AnyTrack Affiliate Link Manager plugin <= 1.5.5 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.5.5."}], "id": "CVE-2026-39715", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:44.533", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/anytrack-affiliate-link-manager/vulnerability/wordpress-anytrack-affiliate-link-manager-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.5.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AnyTrack Affiliate Link Manager", "source": "cna", "vendor": "AnyTrack"}, "product": "anytrack_affiliate_link_manager", "vendor": "anytrack"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:22:08.534483+00:00", "value": {"mitigation_remediation": ["Update AnyTrack Affiliate Link Manager to version 1.5.6 or later as soon as possible.", "If an update is not yet available, remove or deactivate the plugin until a patch is released.", "Restrict WordPress admin access to trusted personnel using role\u2011based access controls or IP restrictions.", "Monitor WordPress admin logs for suspicious activity related to the plugin."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted access to plugin administrative functions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin AnyTrack Affiliate Link Manager from version 1.5.5 and earlier. All installations of the plugin in a WordPress environment are potentially impacted, regardless of the domain or hosting configuration.", "description_and_impact": "The flaw is a missing authorization check that permits untrusted users to access or modify the affiliate link manager. Attackers can alter link properties, inject malicious URLs, or delete existing links. The weakness corresponds to CWE\u2011862, which indicates a missing authorization vulnerability. The flaw allows either confidentiality exposure if sensitive link data is accessed, integrity compromise through unauthorized link modification, or availability reduction if links are destroyed.", "risk_and_exploitability": "The CVSS score is not publicly disclosed, and no EPSS value is available, so the exact severity cannot be quantified. Based on the description, it is inferred that the attacker can send crafted requests to the plugin\u2019s admin endpoints without proper authentication, thereby exploiting the flaw. This results in high risk due to potential widespread abuse if the site\u2019s admin interface is not adequately protected."}}}}, "created": "2026-04-08T19:27:21.354484+00:00", "updated": "2026-04-08T19:40:01.964000+00:00", "vendors": ["anytrack", "anytrack$PRODUCT$anytrack_affiliate_link_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}