CVE-2026-2290: CWE-918 Server-Side Request Forgery (SSRF) in jurajsim Post Affiliate Pro
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.
AI Analysis
Technical Summary
CVE-2026-2290 is a Server-Side Request Forgery vulnerability (CWE-918) in the Post Affiliate Pro WordPress plugin maintained by jurajsim. It affects all versions up to and including 1.28.0. Authenticated attackers with Administrator privileges can abuse this vulnerability to initiate arbitrary outbound HTTP requests from the server hosting the plugin and read the responses. This can potentially be used to access internal resources or external systems reachable from the server. The vulnerability was confirmed by successful interaction with an external Collaborator endpoint. The CVSS v3.1 base score is 3.8, reflecting low severity due to the requirement for high privileges and limited impact on confidentiality and integrity.
Potential Impact
An attacker with Administrator-level access can leverage this SSRF vulnerability to make arbitrary outbound HTTP requests from the server and read response data. This may allow the attacker to interact with internal or external systems accessible from the server, potentially exposing sensitive information or enabling further attacks. However, the impact is limited by the requirement for administrator privileges and the low CVSS score. There is no indication of denial of service or code execution impact.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. In the meantime, restrict administrator access to trusted users only to reduce risk. Since this vulnerability requires administrator privileges, limiting such access is a key mitigation step. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-2290: CWE-918 Server-Side Request Forgery (SSRF) in jurajsim Post Affiliate Pro
Description
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2290 is a Server-Side Request Forgery vulnerability (CWE-918) in the Post Affiliate Pro WordPress plugin maintained by jurajsim. It affects all versions up to and including 1.28.0. Authenticated attackers with Administrator privileges can abuse this vulnerability to initiate arbitrary outbound HTTP requests from the server hosting the plugin and read the responses. This can potentially be used to access internal resources or external systems reachable from the server. The vulnerability was confirmed by successful interaction with an external Collaborator endpoint. The CVSS v3.1 base score is 3.8, reflecting low severity due to the requirement for high privileges and limited impact on confidentiality and integrity.
Potential Impact
An attacker with Administrator-level access can leverage this SSRF vulnerability to make arbitrary outbound HTTP requests from the server and read response data. This may allow the attacker to interact with internal or external systems accessible from the server, potentially exposing sensitive information or enabling further attacks. However, the impact is limited by the requirement for administrator privileges and the low CVSS score. There is no indication of denial of service or code execution impact.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. In the meantime, restrict administrator access to trusted users only to reduce risk. Since this vulnerability requires administrator privileges, limiting such access is a key mitigation step. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-10T15:26:38.230Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69be180bf4197a8e3b784280
Added to database: 3/21/2026, 4:01:15 AM
Last enriched: 4/9/2026, 6:39:50 PM
Last updated: 5/4/2026, 3:35:50 AM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.