Threat Entry Updated 2024-11-21

CVE-2024-10675 - Affiliate Toolkit Plugin

The affiliate-toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Affiliate Toolkit

CVE-2024-10675

MEDIUM CVSS 6.1 2024-11-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-10-29

CVE-2024-10227 - Affiliate Toolkit Plugin

The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkp_product shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Affiliate Toolkit

CVE-2024-10227

MEDIUM CVSS 6.4 2024-10-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-15

CVE-2024-2298 - Affiliate Toolkit Plugin

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products.

PLUGIN Affiliate Toolkit

CVE-2024-2298

MEDIUM CVSS 4.3 2024-03-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-15

CVE-2024-1851 - Affiliate Toolkit Plugin

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists.

PLUGIN Affiliate Toolkit

CVE-2024-1851

MEDIUM CVSS 6.3 2024-03-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-03

CVE-2023-5877 - Affiliate Toolkit Plugin

The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue.

PLUGIN Affiliate Toolkit

CVE-2023-5877

CRITICAL CVSS 9.8 2024-01-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-45105 - Affiliate Toolkit Plugin

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin.This issue affects affiliate-toolkit – WordPress Affiliate Plugin: from n/a through 3.3.9.

PLUGIN Affiliate Toolkit

CVE-2023-45105

MEDIUM CVSS 4.7 2023-12-19

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-46086 - Affiliate Toolkit Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin allows Reflected XSS.This issue affects affiliate-toolkit – WordPress Affiliate Plugin: from n/a through 3.4.3.

PLUGIN Affiliate Toolkit

CVE-2023-46086

HIGH CVSS 7.1 2023-11-30

Risk Score

Open Full Technical Breakdown