Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

affiliate-toolkit

Source -

CNANVDADP

CNA CVEs -

6

ADP CVEs -

2

CISA CVEs -

0

NVD CVEs -

7
Related CVEsRelated VendorsRelated AssignersReports
11Vulnerabilities found
CVE-2025-46231
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 8.02%
||
7 Day CHG+0.01%
Published-22 Apr, 2025 | 09:53
Updated-30 Apr, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress affiliate-toolkit <= 3.7.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit allows Cross Site Request Forgery. This issue affects affiliate-toolkit: from n/a through 3.7.3.

Action-Not Available
Vendor-servitSERVIT Software Solutions
Product-affiliate-toolkitaffiliate-toolkit
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10227
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 31.41%
||
7 Day CHG+0.02%
Published-29 Oct, 2024 | 09:31
Updated-29 Oct, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
affiliate-toolkit <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via atkp_product Shortcode

The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkp_product shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-cservit
Product-affiliate-toolkit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6562
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 59.96%
||
7 Day CHG~0.00%
Published-09 Aug, 2024 | 09:30
Updated-12 Aug, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
affiliate-toolkit <= 3.5.5 - Unauthenticated Full Path Dislcosure

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.5.5. This is due display_errors being set to true . This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

Action-Not Available
Vendor-cservitservit
Product-affiliate-toolkit – WordPress Affiliate Pluginaffiliate-toolkit
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-37205
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 39.12%
||
7 Day CHG~0.00%
Published-10 Jul, 2024 | 17:50
Updated-02 Aug, 2024 | 03:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress affiliate-toolkit plugin <= 3.4.4 - Sensitive Data Exposure via Log File vulnerability

Insertion of Sensitive Information into Log File vulnerability in SERVIT Software Solutions.This issue affects affiliate-toolkit: from n/a through 3.4.4.

Action-Not Available
Vendor-SERVIT Software Solutionsservit
Product-affiliate-toolkitaffiliate-toolkit
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2024-29817
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 41.95%
||
7 Day CHG~0.00%
Published-27 Mar, 2024 | 11:56
Updated-02 Aug, 2024 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress affiliate-toolkit – WordPress Affiliate Plugin plugin <= 3.4.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SERVIT Software Solutions affiliate-toolkit allows Stored XSS.This issue affects affiliate-toolkit: from n/a through 3.4.5.

Action-Not Available
Vendor-SERVIT Software Solutions
Product-affiliate-toolkit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1851
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.05% / 14.56%
||
7 Day CHG~0.00%
Published-08 Mar, 2024 | 06:58
Updated-16 Apr, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists.

Action-Not Available
Vendor-servitcservit
Product-affiliate-toolkitaffiliate-toolkit – WordPress Affiliate Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-2298
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.72%
||
7 Day CHG~0.00%
Published-08 Mar, 2024 | 06:58
Updated-15 Jan, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products.

Action-Not Available
Vendor-servitcservit
Product-affiliate-toolkitaffiliate-toolkit – WordPress Affiliate Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-5877
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-0.34% / 56.12%
||
7 Day CHG~0.00%
Published-01 Jan, 2024 | 14:18
Updated-03 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
affiliate-toolkit < 3.4.3 - Unauthenticated SSRF

The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue.

Action-Not Available
Vendor-servitUnknown
Product-affiliate-toolkitaffiliate-toolkit
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-45105
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-4.7||MEDIUM
EPSS-0.11% / 30.65%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 19:48
Updated-02 Aug, 2024 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress affiliate-toolkit – WordPress Affiliate Plugin Plugin <= 3.3.9 is vulnerable to Open Redirection

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin.This issue affects affiliate-toolkit – WordPress Affiliate Plugin: from n/a through 3.3.9.

Action-Not Available
Vendor-servitSERVIT Software Solutions
Product-affiliate-toolkitaffiliate-toolkit – WordPress Affiliate Plugin
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2023-46086
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.19% / 41.48%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 15:50
Updated-03 Jun, 2025 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress affiliate-toolkit – WordPress Affiliate Plugin Plugin <= 3.4.3 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin allows Reflected XSS.This issue affects affiliate-toolkit – WordPress Affiliate Plugin: from n/a through 3.4.3.

Action-Not Available
Vendor-servitSERVIT Software Solutions
Product-affiliate-toolkitaffiliate-toolkit – WordPress Affiliate Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23786
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.05% / 15.26%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 07:19
Updated-09 Jan, 2025 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress affiliate-toolkit – WordPress Affiliate Plugin Plugin <= 3.3.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Christof Servit affiliate-toolkit plugin <= 3.3.3 versions.

Action-Not Available
Vendor-servitChristof Servit
Product-affiliate-toolkitaffiliate-toolkit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')