CVE-2024-12336: 
WordPress vulnerability analysis and mitigation

The WC Affiliate – A Complete WooCommerce Affiliate Plugin for WordPress contains a vulnerability due to a missing capability check on the 'exportalldata' function in versions up to and including 2.5.3. This security flaw allows authenticated attackers with Subscriber-level access or higher to expose sensitive affiliate data, including personally identifiable information (PII) (NVD).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The security issue stems from inadequate authorization controls in the plugin's data export functionality, which fails to properly verify user permissions before allowing access to sensitive affiliate information (Wordfence).

The vulnerability allows authenticated users with minimal privileges (Subscriber level or above) to access and expose sensitive affiliate data, including personally identifiable information. This unauthorized access to confidential information could potentially lead to privacy violations and compromise of affiliate personal data (NVD).

Website administrators running the WC Affiliate plugin should immediately update to a version newer than 2.5.3 if available. Until an update can be applied, it is recommended to review and restrict user access levels to the WordPress installation to minimize potential exploitation (NVD).