CVE-2026-2290

🗓️ 21 Mar 2026 03:26:40Reported by WordfenceType

Authenticated administrators can exploit server-side forgery in Post Affiliate Pro to trigger outbound requests.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-2290	21 Mar 202603:26	–	attackerkb
CNNVD	WordPress plugin Post Affiliate Pro 代码问题漏洞	21 Mar 202600:00	–	cnnvd
Cvelist	CVE-2026-2290 Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field	21 Mar 202603:26	–	cvelist
EUVD	EUVD-2026-13997	21 Mar 202606:30	–	euvd
NVD	CVE-2026-2290	21 Mar 202604:16	–	nvd
Patchstack	WordPress Post Affiliate Pro plugin <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field vulnerability	23 Mar 202619:57	–	patchstack
Positive Technologies	PT-2026-26831	21 Mar 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-2290	26 Mar 202615:08	–	redhatcve
Vulnrichment	CVE-2026-2290 Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field	21 Mar 202603:26	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (March 16, 2026 to March 22, 2026)	27 Mar 202621:11	–	wordfence

Vulners

Node

jurajsim post_affiliate_proRange≤1.28.0wordpress

[
  {
    "vendor": "jurajsim",
    "product": "Post Affiliate Pro",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "1.28.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/postaffiliatepro/trunk/Base.class.php
plugins	www.plugins.trac.wordpress.org/browser/postaffiliatepro/tags/1.28.0/Base.class.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/369cd6ca-bb36-479e-b342-36d2ca778ce1

22 Apr 2026 21:32Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.13.8

EPSS0.00034

SSVC

CWE-918