affiliate-toolkit – WordPress Affiliate Plugin, CVE-2023-5877

CVE, Research URL: CVE-2023-5877
Home page URL: Security reports for affiliate-toolkit – WordPress Affiliate Plugin
Application: affiliate-toolkit – WordPress Affiliate Plugin
Published on: Jan 01, 2024
Research Description: The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue.
Affected versions: Min -, max 3.4.3.
Status: vulnerable