What the vulnerability does
01Description
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the application and read the returned response content. Successful exploitation was confirmed by receiving and observing response data from an external Collaborator endpoint.
Explanation of Vulnerability in Simple Terms
02Summary
Post Affiliate Pro versions up to 1.28.0 contain a server-side request forgery vulnerability that allows high-privilege users to make the server send requests to internal or external systems. An attacker with administrative access can exploit this to access restricted resources or interact with backend services on behalf of the application. The vulnerability has low impact on confidentiality and integrity.
What an attacker can do
03Attacker Capabilities
Make the server send HTTP requests to internal systems or external URLs on the attacker's behalf.
Potential impact on your site
04Site Impact
An admin account compromise could allow attackers to probe internal networks or interact with backend services.
Conditions required to exploit
05Prerequisites
Attacker must have high-level administrative privileges in Post Affiliate Pro.
Key dates
06Disclosure timeline
March 21, 2026
CVE published
April 8, 2026
Record updated
