Description
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.
Published: 2026-03-21
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an authenticated user with Administrator privileges to craft a URL in the Post Affiliate Pro "URL" field that the plugin will request on the server’s behalf. The returned content can then be read by the attacker, effectively giving the ability to perform arbitrary outbound HTTP/HTTPS requests from the web server and retrieve response data. This can expose internal resources, leak sensitive information, or serve as a foothold for further attacks.

Affected Systems

Vendor JurajSim Product Post Affiliate Pro plugin for WordPress All versions up to and including 1.28.0 are affected.

Risk and Exploitability

The CVSS rating of 3.8 indicates low severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw requires Administrator access within the same WordPress installation, limiting the scope to compromised admin accounts. The vulnerability is not listed in CISA’s KEV catalog, and no publicly available exploit is widely disseminated.

Generated by OpenCVE AI on April 8, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Post Affiliate Pro version 1.29.0 or later, which removes the vulnerable URL processing.
  • If an upgrade is not feasible, uninstall the Post Affiliate Pro plugin entirely.
  • Ensure that only trusted administrators have access to the WordPress backend.
  • Enforce strong passwords and multi‑factor authentication for administrator accounts.
  • Monitor outbound traffic from the WordPress server for unexpected requests to detect potential abuse.

Generated by OpenCVE AI on April 8, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Jurajsim
Jurajsim post Affiliate Pro
Wordpress
Wordpress wordpress
Vendors & Products Jurajsim
Jurajsim post Affiliate Pro
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.
Title Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Jurajsim Post Affiliate Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:10.535Z

Reserved: 2026-02-10T15:26:38.230Z

Link: CVE-2026-2290

cve-icon Vulnrichment

Updated: 2026-03-23T16:34:16.346Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:16:58.187

Modified: 2026-04-08T18:25:54.610

Link: CVE-2026-2290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:24Z

Weaknesses