Platform
wordpress
Component
postaffiliatepro
Fixed in
1.28.1
1.28.1
CVE-2026-2290 describes a Server-Side Request Forgery (SSRF) vulnerability affecting Post Affiliate Pro, a WordPress plugin. This vulnerability allows authenticated attackers with administrator privileges to make arbitrary outbound web requests, potentially leading to information disclosure or other malicious actions. The vulnerability impacts versions up to and including 1.28.0. Mitigation involves upgrading to a patched version of the plugin.
An attacker exploiting this SSRF vulnerability could potentially read sensitive data from internal services accessible to the Post Affiliate Pro plugin. This could include internal configuration files, database information, or even access to other internal applications. While the CVSS score is LOW, the potential for data exposure and the ease of exploitation (requiring only administrator access) make this a significant risk. The ability to initiate arbitrary outbound requests also opens the door to further attacks, such as probing internal networks or attempting to access restricted resources. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint, demonstrating the vulnerability's functionality.
CVE-2026-2290 was published on 2026-03-20. There is no indication of this vulnerability being actively exploited in the wild or listed on KEV. The EPSS score is likely low given the LOW CVSS score and lack of public exploitation reports. No public Proof-of-Concept (PoC) exploits have been identified at the time of writing.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2290 is to upgrade Post Affiliate Pro to a version that addresses the SSRF vulnerability. Unfortunately, a fixed version is not explicitly listed in the provided data. Until a patched version is available, consider implementing temporary workarounds. These might include restricting outbound network access for the WordPress instance using a Web Application Firewall (WAF) or proxy server, specifically blocking requests to external Collaborator endpoints. Review Post Affiliate Pro's configuration to minimize the plugin's access to internal resources. After upgrading, confirm the vulnerability is resolved by attempting a request to an external Collaborator endpoint and verifying that it is blocked or handled securely.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2290 is a Server-Side Request Forgery vulnerability in Post Affiliate Pro WordPress plugin versions up to 1.28.0, allowing authenticated admins to make outbound requests.
You are affected if you are using Post Affiliate Pro version 1.28.0 or earlier. Check your plugin version using wp plugin list.
Upgrade Post Affiliate Pro to a patched version. As a temporary workaround, restrict outbound network access using a WAF or proxy server.
There are currently no public reports of CVE-2026-2290 being actively exploited in the wild.
Refer to the Post Affiliate Pro website and WordPress plugin repository for updates and advisories regarding CVE-2026-2290.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.