The Affiliate-Toolkit – WordPress Affiliate Plugin, which is used to help websites create affiliate programs, has a security flaw in versions up to 3.3.9. This flaw, called Open Redirect, allows unauthenticated attackers to redirect users to malicious websites if they can get the users to do something. They are able to do this by taking advantage of the fact that the plugin does not properly validate the URL that it is redirecting to. Sites that have a atkp-imagereceiver-key.php setup are not vulnerable to this flaw, as the attacker must have the key from that file to successfully perform the redirection. If the file is not present, the attacker can use the publicly available MD5 hash of atkpout.php instead, which allows them to redirect users.