WP-Safety
CVE-2026-2290

Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field

lowServer-Side Request Forgery (SSRF)
3.8
CVSS Score
3.8
CVSS Score
low
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.28.0
PublishedMarch 20, 2026
Last updatedApril 15, 2026
Affected pluginpostaffiliatepro
Research Plan
Unverified

This research plan targets **CVE-2026-2290**, an authenticated SSRF vulnerability in the **Post Affiliate Pro** plugin. Since the source code is not provided, this plan focuses on discovery and precision mapping of the specific vulnerable parameters and AJAX/Admin actions. --- ### 1. Vulnerability…

Show full research plan

This research plan targets CVE-2026-2290, an authenticated SSRF vulnerability in the Post Affiliate Pro plugin. Since the source code is not provided, this plan focuses on discovery and precision mapping of the specific vulnerable parameters and AJAX/Admin actions.

1. Vulnerability Summary

The Post Affiliate Pro plugin for WordPress (versions <= 1.28.0) contains a Server-Side Request Forgery (SSRF) vulnerability. The flaw exists because the application allows an Administrator to specify a URL in the 'Post Affiliate Pro URL' field, which is subsequently fetched by the server using functions like wp_remote_get() or wp_remote_post(). Crucially, the plugin returns the body of the response to the user interface, allowing attackers to scan internal networks or read metadata from cloud environments (e.g., AWS/GCP metadata endpoints).

2. Attack Vector Analysis

  • Endpoint: Likely wp-admin/admin-ajax.php (if triggered via a button) or a settings save action in wp-admin/options.php.
  • Vulnerable Parameter: Likely named pap_url, url, or similar, corresponding to the "Post Affiliate Pro URL" label.
  • Authentication: Administrator-level access is required.
  • Preconditions: The plugin must be active. The attacker needs a valid session cookie and a security nonce.

3. Code Flow (Inferred)

  1. Entry Point: An admin page registered via add_menu_page() or add_options_page() (likely in a file like postaffiliatepro.php or includes/admin.php).
  2. Trigger: An AJAX action (e.g., wp_ajax_pap_test_connection) or a settings validation callback.
  3. Processing: The code retrieves the URL from the $_POST or $_GET request.
  4. Sink: The URL is passed to wp_remote_get() or wp_remote_request().
  5. Data Leakage: The $response['body'] or $response object is echoed or returned via wp_send_json_success(), exposing the content to the attacker.

4. Nonce Acquisition Strategy

Since this is an Administrator+ exploit, we must obtain a nonce valid for an authenticated session.

  1. Identify the Admin Page: Search for the menu slug:
    grep -rE "add_menu_page|add_submenu_page|add_options_page" .
  2. Identify the Localized Data: Look for wp_localize_script calls that might pass nonces to the admin UI.
  3. Extraction Procedure:
    • Use browser_navigate to go to the plugin settings page (e.g., /wp-admin/admin.php?page=post-affiliate-pro-settings).
    • Use browser_eval to extract the nonce:
      // Example guess based on common naming conventions
window.pap_admin_obj?.nonce || jQuery("#_wpnonce").val() || window.papData?.nonce

5. Exploitation Strategy

The exploitation will involve triggering the outbound request to a controlled listener or an internal resource.

Step-by-Step Plan:

  1. Discovery: Use grep to find the exact AJAX action or settings field.
    grep -rn "wp_remote_get" . -B 10
grep -rn "Post Affiliate Pro URL" .
  2. Determine Action: If it's an AJAX action, identify the action string (e.g., pap_check_url).
  3. Prepare Payload: Use a URL pointing to an internal service or a metadata endpoint.
    • Payload 1 (Internal): http://localhost:80/ (To see if the server responds with its own HTML).
    • Payload 2 (Cloud Metadata): http://169.254.169.254/latest/meta-data/ (If on AWS).
  4. Execute Request: Send the request using the http_request tool.

Example HTTP Request (Template):

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET_HOST
Content-Type: application-x-www-form-urlencoded
Cookie: [Admin Cookies]

action=[INFERRED_ACTION]&url=http://localhost:80/&_ajax_nonce=[EXTRACTED_NONCE]

6. Test Data Setup

  1. Active Plugin: Ensure postaffiliatepro is installed and activated.
  2. Admin User: Ensure you are logged in as a user with the administrator role.
  3. Setting Discovery: Locate the "Post Affiliate Pro URL" field in the dashboard to understand how it saves data.

7. Expected Results

  • Successful SSRF: The response from admin-ajax.php or the settings page will contain the raw HTML or response content of the URL provided in the payload.
  • Confirmation: If you point the URL to http://localhost:80/, you should see the WordPress home page HTML inside the JSON response of the AJAX call.

8. Verification Steps

  1. Check Response Body: Look for the signature of the internal resource in the plugin's response.
  2. Log Monitoring: If using an external collaborator, check for an incoming request from the WordPress server's IP address.
  3. WP-CLI Audit: Verify if the setting was saved (if it's a persistent SSRF):
    wp option get [OPTION_NAME_FOUND_DURING_GREP]

9. Alternative Approaches

  • Persistent SSRF: If the URL is fetched whenever an admin page is loaded (e.g., a "status widget"), simply updating the setting via options.php or a POST to the settings page will trigger the SSRF every time the dashboard is viewed.
  • Blind SSRF: If the response body is not returned, attempt to trigger a DNS or HTTP request to an external listener to confirm the outbound connectivity.
  • File Wrapper: Check if the plugin allows file:// wrappers: file:///etc/passwd (though wp_remote_get usually blocks this, some custom cURL implementations might not).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Post Affiliate Pro plugin for WordPress is vulnerable to an authenticated Server-Side Request Forgery (SSRF) in versions up to and including 1.28.0. An administrator can specify an arbitrary URL in the 'Post Affiliate Pro URL' field which the server subsequently fetches and displays the response content for, allowing for internal network scanning and sensitive data retrieval.

Exploit Outline

To exploit this vulnerability, an attacker with Administrator-level access logs into the WordPress dashboard and navigates to the Post Affiliate Pro settings page. They identify the 'Post Affiliate Pro URL' field and enter a target URL, such as a cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/) or an internal service (e.g., http://localhost:3306). When the plugin validates the connection or saves the setting, it initiates an outbound HTTP request from the server and echoes the response body back into the administrative interface, allowing the attacker to view the data.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database