Refine your search
1 vulnerability found for by jurajsim
CVE-2026-2290 (GCVE-0-2026-2290)
Vulnerability from cvelistv5
Published
2026-03-21 03:26
Modified
2026-04-08 16:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jurajsim | Post Affiliate Pro |
Version: 0 ≤ 1.28.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T16:34:07.788646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T16:34:22.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Post Affiliate Pro",
"vendor": "jurajsim",
"versions": [
{
"lessThanOrEqual": "1.28.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phap Nguyen Anh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.8,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:46:10.535Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/trunk/Base.class.php#L127"
},
{
"url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/tags/1.28.0/Base.class.php#L127"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-20T15:20:43.000Z",
"value": "Disclosed"
}
],
"title": "Post Affiliate Pro \u003c= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via \u0027Post Affiliate Pro URL\u0027 Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2290",
"datePublished": "2026-03-21T03:26:40.402Z",
"dateReserved": "2026-02-10T15:26:38.230Z",
"dateUpdated": "2026-04-08T16:46:10.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}