{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2290", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-10T15:26:38.230Z", "datePublished": "2026-03-21T03:26:40.402Z", "dateUpdated": "2026-04-08T16:46:10.535Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:10.535Z"}, "affected": [{"vendor": "jurajsim", "product": "Post Affiliate Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.28.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint."}], "title": "Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/trunk/Base.class.php#L127"}, {"url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/tags/1.28.0/Base.class.php#L127"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phap Nguyen Anh"}], "timeline": [{"time": "2026-03-20T15:20:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:34:07.788646Z", "id": "CVE-2026-2290", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:34:22.728Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2290", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:34:07.788646Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:34:16.346Z"}}], "cna": {"title": "Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field", "credits": [{"lang": "en", "type": "finder", "value": "Phap Nguyen Anh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "jurajsim", "product": "Post Affiliate Pro", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.28.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:20:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/trunk/Base.class.php#L127"}, {"url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/tags/1.28.0/Base.class.php#L127"}], "descriptions": [{"lang": "en", "value": "The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:40.402Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2290", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:34:22.728Z", "dateReserved": "2026-02-10T15:26:38.230Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:40.402Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint."}, {"lang": "es", "value": "El plugin Post Affiliate Pro para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor en todas las versiones hasta la 1.28.0, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador, realicen peticiones web para iniciar peticiones salientes arbitrarias desde la aplicaci\u00f3n y leer el contenido de la respuesta devuelta. La explotaci\u00f3n exitosa fue confirmada al recibir y observar datos de respuesta desde un endpoint de Collaborator externo."}], "id": "CVE-2026-2290", "lastModified": "2026-04-08T18:25:54.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-21T04:16:58.187", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/tags/1.28.0/Base.class.php#L127"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/postaffiliatepro/trunk/Base.class.php#L127"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.28.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Post Affiliate Pro", "source": "cna", "vendor": "jurajsim"}, "product": "post_affiliate_pro", "vendor": "jurajsim"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T19:06:40.115420+00:00", "value": {"mitigation_remediation": ["Upgrade to Post Affiliate Pro version 1.29.0 or later, which removes the vulnerable URL processing.", "If an upgrade is not feasible, uninstall the Post Affiliate Pro plugin entirely.", "Ensure that only trusted administrators have access to the WordPress backend.", "Enforce strong passwords and multi\u2011factor authentication for administrator accounts.", "Monitor outbound traffic from the WordPress server for unexpected requests to detect potential abuse."], "summary": {"action": "Immediate Patch", "impact": "Authenticated Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Vendor JurajSim Product Post Affiliate Pro plugin for WordPress All versions up to and including 1.28.0 are affected.", "description_and_impact": "The vulnerability allows an authenticated user with Administrator privileges to craft a URL in the Post Affiliate Pro \"URL\" field that the plugin will request on the server\u2019s behalf. The returned content can then be read by the attacker, effectively giving the ability to perform arbitrary outbound HTTP/HTTPS requests from the web server and retrieve response data. This can expose internal resources, leak sensitive information, or serve as a foothold for further attacks.", "risk_and_exploitability": "The CVSS rating of 3.8 indicates low severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw requires Administrator access within the same WordPress installation, limiting the scope to compromised admin accounts. The vulnerability is not listed in CISA\u2019s KEV catalog, and no publicly available exploit is widely disseminated."}}}}, "created": "2026-03-23T09:50:50.383100+00:00", "updated": "2026-04-08T20:01:24.600022+00:00", "vendors": ["jurajsim", "jurajsim$PRODUCT$post_affiliate_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}