CVE-2026-52692: WordPress Affiliates Manager plugin <= 2.9.50 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated sensitive data exposure vulnerability affects the Affiliates Manager WordPress plugin at version 2.9.50 and below. The vulnerability is reachable over the network with no authentication required, meaning any external actor who can send HTTP requests to a site running the plugin can trigger the exposure. Successful exploitation allows an attacker to read sensitive data from the affected WordPress installation. No fix version has been published; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships one.
HarborGuard Coverage
Detection of CVE-2026-52692 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Affiliates Manager plugin. Any image at or below version 2.9.50 of the plugin is flagged automatically.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting the finding against each environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team or inbox within the customer organization based on configured ownership rules.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release appears upstream. Until then, the finding remains open and trackable in the customer's vulnerability backlog.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is needed, making any internet-exposed site a viable target.
- AuthenticationNot required
No account or session token is needed; the attacker can trigger the exposure as an anonymous HTTP client.
- Victim interactionNot required
No user action is required; the attacker can exploit the vulnerability entirely on their own without involving a logged-in user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.
Blast Radius
- An unauthenticated attacker reads sensitive data exposed by the plugin, which may include affiliate account details, commission records, or other business-sensitive information stored by the plugin.
- Exposed data can be harvested at scale with no account creation or prior reconnaissance, lowering the bar for mass-scanning attacks against sites running the plugin.
- Confidentiality of affiliate partner data is fully compromised; integrity and availability of the service are not directly affected by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: this CVE is tracked continuously against all customer images that bundle the Affiliates Manager plugin at version 2.9.50 or below. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version is published. In the interim, customers can apply compensating controls through HarborGuard network policy recommendations, such as restricting public HTTP access to affected plugin endpoints via ingress rules or web application firewall policies. For customers with auto-remediation enabled, the patched rebuild, regression test run, and PR against affected workloads will be triggered automatically once upstream ships a fix, with no manual intervention required.
- wp.insider / Affiliates Manager≤ 2.9.50
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N