CVE-2023-5877
📋 TL;DR
The affiliate-toolkit WordPress plugin before version 3.4.3 has an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. Unauthenticated attackers can make requests to arbitrary URLs, including internal network addresses, through the atkp_imagereceiver.php endpoint. This affects all WordPress sites running vulnerable versions of the plugin.
💻 Affected Systems
- affiliate-toolkit WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, perform port scanning, interact with cloud metadata services, or chain with other vulnerabilities to achieve remote code execution.
Likely Case
Attackers scan internal networks, access internal web applications, or use the vulnerable server as a proxy for attacks against other systems.
If Mitigated
Limited impact if network segmentation prevents access to sensitive internal systems and outbound firewall rules restrict requests.
🎯 Exploit Status
Simple HTTP requests to the vulnerable endpoint with URL parameters can trigger the SSRF.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.3
Vendor Advisory: https://wpscan.com/vulnerability/39ed4934-3d91-4924-8acc-25759fef9e81
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find affiliate-toolkit plugin. 4. Click 'Update Now' to version 3.4.3 or later. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable endpoint via .htaccess
linuxBlock access to the vulnerable PHP file using Apache mod_rewrite rules
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-content/plugins/affiliate-toolkit-starter/tools/atkp_imagereceiver\.php$ - [F,L]
</IfModule>
Deactivate plugin
allTemporarily disable the plugin until patched
wp plugin deactivate affiliate-toolkit
🧯 If You Can't Patch
- Implement network segmentation to isolate WordPress server from internal networks
- Configure web application firewall (WAF) to block requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for plugin version, or examine wp-content/plugins/affiliate-toolkit-starter/readme.txt for version numberCheck Version:
wp plugin get affiliate-toolkit --field=versionVerify Fix Applied:
Confirm plugin version is 3.4.3 or higher in WordPress admin, or test endpoint with controlled SSRF payload to verify blocking📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/affiliate-toolkit-starter/tools/atkp_imagereceiver.php with URL parameters
- Outbound requests from web server to internal IP addresses (10.x.x.x, 172.16.x.x, 192.168.x.x)
Network Indicators:
- Unusual outbound connections from web server to internal network ranges
- Multiple rapid requests to different internal IPs from single source
SIEM Query:
source="web_server_logs" AND uri="*atkp_imagereceiver.php*" AND (query="*url=*" OR query="*http*" OR query="*://*")