CVE-2023-5877 Information

Description

The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it’s affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint allowing unauthenticated visitors to make requests to arbitrary URL’s including RFC1918 private addresses leading to a Server Side Request Forgery (SSRF) issue.

Reference

https://wpscan.com/vulnerability/39ed4934-3d91-4924-8acc-25759fef9e81