PatchSiren cyber security CVE debrief
CVE-2025-14361 AA-Team CVE debrief
A Missing Authorization vulnerability (CWE-862) in the AA-Team Woocommerce Envato Affiliates WordPress plugin allows authenticated attackers with low privileges to access functionality not properly constrained by access control lists. The vulnerability affects versions up to and including 1.2.1. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) indicates a network-attackable, low-complexity issue requiring low privileges, with high impact to integrity and low impact to availability, resulting in a HIGH severity score of 7.1. The vulnerability was disclosed via Patchstack and received by NVD on 2026-05-26. No known exploitation in ransomware campaigns has been reported.
- Vendor
- AA-Team
- Product
- Woocommerce Envato Affiliates
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using the Woocommerce Envato Affiliates plugin; security teams managing WordPress installations; WooCommerce merchants relying on Envato affiliate integrations
Technical summary
The Woocommerce Envato Affiliates plugin fails to properly enforce access control checks on sensitive functionality, allowing authenticated users with low privileges to modify plugin settings or access administrative features. The vulnerability stems from missing authorization checks (CWE-862) in the plugin's access control implementation. Attackers can exploit this via network-accessible endpoints without user interaction. The integrity impact is rated HIGH, indicating potential for unauthorized configuration changes, while availability impact is LOW.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Woocommerce Envato Affiliates plugin to a version newer than 1.2.1 if available, or remove the plugin if no patch is provided
- Review WordPress user roles and capabilities to enforce principle of least privilege
- Implement Web Application Firewall (WAF) rules to restrict unauthorized access to plugin administrative endpoints
- Monitor WordPress audit logs for unauthorized settings changes indicative of exploitation
- Subscribe to vendor security advisories or Patchstack notifications for patch availability
Evidence notes
Vulnerability disclosed through Patchstack; NVD status 'Received' as of 2026-05-26. CVSS vector and CWE classification sourced from NVD reference metadata. Vendor attribution to 'AA-Team' per CVE description; vendor confidence marked low due to 'Unknown Vendor' classification in source data.
Official resources
-
CVE-2025-14361 CVE record
CVE.org
-
CVE-2025-14361 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-26