CVE-2023-5877
CVSS 3.1 Score 9.8 of 10 (high)
Details
Summary
CVE-2023-5877 is a serious vulnerability affecting the affiliate-toolkit WordPress plugin prior to version 3.4.3. The issue lies in the plugin's lack of authorization and authentication for requests to the affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint. Consequently, unauthenticated visitors can exploit this weakness and make requests to arbitrary URLs, including RFC1918 private addresses. This vulnerability results in a Server Side Request Forgery (SSRF) issue, which can lead to unintended server responses and potential data exposure or exfiltration. WordPress users are advised to update their plugin as soon as possible to mitigate the risk.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.