EUVD-2026-13997
GHSA-fhxr-xhmq-xjw7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3Description
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.
Analysis
The Post Affiliate Pro WordPress plugin versions up to 1.28.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated administrators to make arbitrary outbound web requests from the affected server and read response content. An attacker with administrator-level access can exploit this to interact with internal services, exfiltrate data, or pivot to other systems. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Server-Side Request Forgery i and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today