CVE-2023-5877: 
WordPress vulnerability analysis and mitigation

The affiliate-toolkit WordPress plugin before version 3.4.3 contains a Server Side Request Forgery (SSRF) vulnerability identified as CVE-2023-5877. The vulnerability was discovered in the affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, which lacks proper authorization and authentication mechanisms. This vulnerability was publicly disclosed on December 11, 2023, and affects all versions of the plugin prior to 3.4.3 (WPScan).

The vulnerability stems from the lack of proper authentication and authorization controls in the affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint. The issue allows unauthenticated visitors to make requests to arbitrary URLs, including RFC1918 private addresses. While version 3.3.6 introduced some security measures to limit access to localhost and implemented a separate file for storing an arbitrary site key, other RFC1918 addresses remained unfiltered. Additionally, the site key file is stored under a hardcoded pathname and may be accessible by unauthenticated visitors, effectively compromising the endpoint's security. The vulnerability has been assigned a CVSS score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows unauthenticated attackers to perform Server Side Request Forgery (SSRF) attacks. This could potentially lead to unauthorized access to internal systems, data exposure, and interaction with internal services that should not be accessible from the external network (WPScan).

The vulnerability has been patched in version 3.4.3 of the affiliate-toolkit WordPress plugin. Site administrators are strongly advised to update to this version or later to protect against potential SSRF attacks (WPScan).