CVE-2026-2290

LOW 3.8

Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field

CVSS Score

3.8

EPSS Score

0.0%

EPSS Percentile

0th

The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.

CWE	CWE-918
Vendor	jurajsim
Product	post affiliate pro
Published	Mar 21, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for jurajsim post affiliate pro

Be the first to know when new low vulnerabilities affecting jurajsim post affiliate pro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

jurajsim / Post Affiliate Pro

0 ≤ 1.28.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/postaffiliatepro/trunk/Base.class.php#L127 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/postaffiliatepro/tags/1.28.0/Base.class.php#L127

Credits

Phap Nguyen Anh