CVE-2024-0859: 
WordPress vulnerability analysis and mitigation

The Affiliates Manager plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 2.9.34. The vulnerability was discovered and disclosed on February 5, 2024, and is tracked as CVE-2024-0859. This security issue affects the WordPress plugin specifically in its affiliate management functionality (NVD).

The vulnerability stems from missing or incorrect nonce validation in the process_bulk_action function within ListAffiliatesTable.php. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity but requiring user interaction (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to delete affiliates from the system through forged requests. The attack can only be successful if an attacker can trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

Site administrators running affected versions of the Affiliates Manager plugin should update to a patched version beyond 2.9.34. The vulnerability has been addressed through improved nonce validation in the process_bulk_action function (WordPress Plugin).