Wordfence flags WP Affiliate Plugin insecure without further information

Hi @gunther12

You can read about the vulnerability here:

https://wpscan.com/vulnerability/4f94aefe-fd3e-40be-be60-9c2fb33e8dd3

This one is a false positive. The original issue reported on the following post was fixed back in 2014 but looks like the post didn’t get updated:
https://packetstormsecurity.com/files/126424/

We have contacted them to see what needs to be done to update the above report to say it was patched a long time ago.

Hi @mra13

Thank you for the update.

Not yet it isn’t.

The developer of the plugin reached out to us and we responded asking for proof the vulnerability was patched (so we could update our data accordingly). However, we have yet to receive a response back from them. We just followed up so we can hopefully get this updated sooner (if the vulnerability was actually patched).

Hi @mra13

We have heard back from the authors at WP Affiliate Platform that shared a copy of the plugin with us. We have verified the vulnerability is patched in version 6.3.9 so users can now update to the latest version for the patch. We are still waiting to hear back from them if this patch was applied in an earlier version or just now in 6.3.9, but regardless updating to 6.3.9 should patch the issue.