CVE-2026-2290

The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/postaffiliatepro/tags/1.28.0/Base.class.php#L127
https://plugins.trac.wordpress.org/browser/postaffiliatepro/trunk/Base.class.php#L127
https://www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1?source=cve

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-21 04:16

Updated : 2026-03-23 14:32

NVD link : CVE-2026-2290

Mitre link : CVE-2026-2290

CVE.ORG link : CVE-2026-2290

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-2290", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-03-21T04:16:58.187", "references": [{"url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/tags/1.28.0/Base.class.php#L127", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/trunk/Base.class.php#L127", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint."}, {"lang": "es", "value": "El plugin Post Affiliate Pro para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor en todas las versiones hasta la 1.28.0, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador, realicen peticiones web para iniciar peticiones salientes arbitrarias desde la aplicaci\u00f3n y leer el contenido de la respuesta devuelta. La explotaci\u00f3n exitosa fue confirmada al recibir y observar datos de respuesta desde un endpoint de Collaborator externo."}], "lastModified": "2026-03-23T14:32:02.800", "sourceIdentifier": "security@wordfence.com"}