Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Post Affiliate Pro plugin for WordPress allows attackers to make unauthorized requests
CVE-2026-2290
Summary
Authenticated attackers with admin access can make external requests and access response data. This could allow them to steal sensitive information or disrupt third-party services. Update to version 1.28.1 or higher to fix the issue.
Original title
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Admin...
Original description
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.
nvd CVSS3.1
6.5
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026