The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SSRF
Authentication Bypass
WordPress
PHP
Affiliate Toolkit
NVD
WPScan
CVSS 3.1
9.8
EPSS
0.4%