CVE-2024-2298: 
WordPress vulnerability analysis and mitigation

The affiliate-toolkit WordPress Affiliate Plugin (versions up to 3.5.4) contains a vulnerability identified as CVE-2024-2298, discovered and disclosed on March 8, 2024. The vulnerability stems from a missing capability check in the atkpimportproduct() function, affecting the plugin's security controls (NVD).

The vulnerability is characterized by a missing authorization check (CWE-862) in the atkpimportproduct() function. The CVSS v3.1 score is 4.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating a network-accessible vulnerability with low attack complexity requiring low privileges (Wordfence).

The vulnerability allows authenticated attackers with subscriber-level access or higher to perform unauthorized actions, specifically the ability to import products without proper authorization. This could potentially lead to unauthorized manipulation of product data in the affected WordPress installations (NVD).

A patch has been released to address this vulnerability. Users should upgrade to version 3.5.5 or later of the affiliate-toolkit WordPress plugin to mitigate this security issue (WordPress Plugin).