CVE-2023-45105: 
WordPress vulnerability analysis and mitigation

The CVE-2023-45105 is a URL Redirection to Untrusted Site ('Open Redirect') vulnerability affecting SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin through version 3.3.9. The vulnerability was discovered and reported by researcher minhtuanact on March 22, 2023, and was publicly disclosed on October 6, 2023 (Patchstack).

The vulnerability exists due to insufficient validation on the redirect URL supplied via the 'url' parameter in atkpout.php. The issue affects sites that do not have a atkp-imagereceiver-key.php setup, as the attacker must calculate the md5 hash of the URL combined with the key from that file to successfully redirect victims. If atkp-imagereceiver-key.php is not present, the md5 hash of atkpout.php, which is publicly available, will be used, allowing redirection. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NVD and 4.7 (Medium) by Patchstack (Patchstack).

This vulnerability could allow unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. The redirection capability could be exploited in phishing attacks, where users might be redirected from legitimate sites to malicious ones (Patchstack).

The vulnerability has been fixed in version 3.4.0 of the affiliate-toolkit WordPress plugin. Users are advised to update to version 3.4.0 or later to remove the vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until the update can be applied (Patchstack).