CVE-2023-5877

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Jan 1, 2024
Updated: Jan 8, 2024
CWE ID 862

Summary

CVE-2023-5877 is a serious vulnerability affecting the affiliate-toolkit WordPress plugin prior to version 3.4.3. The issue lies in the plugin's lack of authorization and authentication for requests to the affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint. Consequently, unauthenticated visitors can exploit this weakness and make requests to arbitrary URLs, including RFC1918 private addresses. This vulnerability results in a Server Side Request Forgery (SSRF) issue, which can lead to unintended server responses and potential data exposure or exfiltration. WordPress users are advised to update their plugin as soon as possible to mitigate the risk.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share