VYPR

Affiliate Toolkit Starter

by WordPress

Source repositories

CVEs (8)

  • CVE-2023-5877CriJan 1, 2024
    risk 0.64cvss 9.8epss 0.01

    The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private…

  • CVE-2026-6169HigMay 27, 2026
    risk 0.47cvss 7.2epss 0.01

    The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and…

  • CVE-2024-29817MedMar 27, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SERVIT Software Solutions affiliate-toolkit allows Stored XSS.This issue affects affiliate-toolkit: from n/a through 3.4.5.

  • CVE-2024-10675MedNov 21, 2024
    risk 0.40cvss 6.1epss 0.00

    The affiliate-toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary…

  • CVE-2025-46231MedApr 22, 2025
    risk 0.35cvss 5.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit affiliate-toolkit-starter allows Cross Site Request Forgery.This issue affects affiliate-toolkit: from n/a through <= 3.7.3.

  • CVE-2024-10227MedOct 29, 2024
    risk 0.35cvss 6.4epss 0.00

    The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkp_product shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2024-6562MedAug 12, 2024
    risk 0.34cvss 5.3epss 0.01

    The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.5.5. This is due display_errors being set to true . This makes it possible for unauthenticated attackers to retrieve the full…

  • CVE-2024-37205MedJul 10, 2024
    risk 0.34cvss 5.3epss 0.00

    Insertion of Sensitive Information into Log File vulnerability in SERVIT Software Solutions.This issue affects affiliate-toolkit: from n/a through 3.4.4.