CVE-2026-46698

Fediverse Embeds <= 1.5.7 - Unauthenticated Server-Side Request Forgery

highServer-Side Request Forgery (SSRF)
7.2
CVSS Score
7.2
CVSS Score
high
Severity
1.5.9
Patched in
7d
Time to patch

Description

The Fediverse Embeds plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.7
PublishedJune 12, 2026
Last updatedJune 18, 2026
Affected pluginfediverse-embeds

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Research Plan: CVE-2026-46698 - Fediverse Embeds SSRF ## 1. Vulnerability Summary The **Fediverse Embeds** plugin (versions <= 1.5.7) is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)**. The plugin fails to sufficiently validate or sanitize user-provided URLs before using them…

Show full research plan

Research Plan: CVE-2026-46698 - Fediverse Embeds SSRF

1. Vulnerability Summary

The Fediverse Embeds plugin (versions <= 1.5.7) is vulnerable to Unauthenticated Server-Side Request Forgery (SSRF). The plugin fails to sufficiently validate or sanitize user-provided URLs before using them in server-side HTTP requests, typically intended to fetch post metadata from Fediverse instances (e.g., Mastodon, Lemmy). An unauthenticated attacker can exploit this to make the WordPress server send requests to internal services, local network resources, or cloud metadata endpoints.

2. Attack Vector Analysis

  • Endpoint: Likely an unauthenticated AJAX handler (wp_ajax_nopriv_*) or a REST API route (/wp-json/...) registered without a permission_callback.
  • Vulnerable Parameter: A parameter named url, uri, or id used to specify the remote Fediverse content.
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. If the endpoint requires a nonce (even for logged-out users), the nonce must be extracted from the frontend.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers a handler for fetching Fediverse data during init or rest_api_init.
  2. Input Acquisition: The handler retrieves a URL from $_GET['url'] or a REST parameter.
  3. Processing: The code likely attempts to validate if the URL looks like a Fediverse post but fails to block private IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 169.254.169.254).
  4. Sink: The URL is passed to wp_remote_get() or a similar function (e.g., file_get_contents or curl_exec).
  5. Response: The server returns the body of the internal request back to the attacker.

4. Nonce Acquisition Strategy

If the plugin uses AJAX, it likely protects the unauthenticated endpoint with a nonce.

  1. Identify Shortcode: Search for add_shortcode in the plugin (e.g., [fediverse-embed]).
  2. Identify JS Variable: Look for wp_localize_script calls. Common patterns in this plugin family use variable names like fediverseEmbeds or fediverse_params.
  3. Action Plan:
    • Create a test post with the shortcode: wp post create --post_type=page --post_status=publish --post_content='[fediverse-embed url="https://mastodon.social/@example/123"]'
    • Navigate to the page using browser_navigate.
    • Extract the nonce: browser_eval("window.fediverse_params?.nonce") (inferred variable name).

5. Exploitation Strategy

The goal is to force the server to request a local resource (loopback).

Request Details:

  • Tool: http_request
  • Method: POST (or GET depending on the handler)
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Body (URL-encoded):
    • action: (inferred) fediverse_embed_get_data or fetch_fediverse_post
    • nonce: [EXTRACTED_NONCE]
    • url: http://127.0.0.1:80/ (Targeting the local webserver) or http://169.254.169.254/latest/meta-data/ (if in AWS).

Payload example (REST):

  • Method: GET
  • URL: http://localhost:8080/wp-json/fediverse-embeds/v1/fetch?url=http://127.0.0.1:80/

6. Test Data Setup

  1. Activate Plugin: wp plugin activate fediverse-embeds
  2. Determine Entry Point:
    • grep -rn "wp_ajax_nopriv" .
    • grep -rn "register_rest_route" .
  3. Create Nonce Source: If a nonce is required, create a page with the shortcode identified in step 4.

7. Expected Results

  • Success: The response body from http_request contains the HTML/JSON of the internal service (e.g., the WordPress homepage or directory listing if targeting http://127.0.0.1).
  • Vulnerability Confirmation: The server does not return a "Forbidden" or "Invalid URL" error when requesting local IP addresses.

8. Verification Steps

  1. Log Check: Check the web server access logs to confirm the request originated from the server's own IP address to itself.
  2. Code Audit (Post-Exploit): Verify the sink in the plugin code:
    grep -rn "wp_remote_get" wp-content/plugins/fediverse-embeds/
    
    Confirm if the URL passed to this function is directly derived from user input without IP blacklisting.

9. Alternative Approaches

  • Protocol Smuggling: If wp_remote_get is used, try other protocols like file:// (though WordPress usually restricts this to http/s).
  • DNS Rebinding: If the plugin resolves the hostname before fetching, attempt to use a DNS rebinding service to bypass simple IP checks.
  • Alternative Endpoints: Check if the SSRF exists in the "Settings" page or "OEmbed" handlers if the unauthenticated AJAX handler is not found.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Fediverse Embeds plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) in versions up to and including 1.5.7. This occurs because the plugin fails to validate user-supplied URLs before performing server-side HTTP requests, allowing attackers to probe internal services and access restricted network resources or cloud metadata.

Exploit Outline

The exploit methodology involves identifying the plugin's AJAX or REST API endpoint used for fetching Fediverse post data. An attacker sends a request to this endpoint (e.g., via a 'url' parameter) and provides a target address within the internal network or local loopback (such as 127.0.0.1 or cloud metadata IP). If the endpoint requires a nonce for unauthenticated users, the attacker first extracts this token from the frontend script variables or HTML source where the plugin's shortcode is rendered. The server then executes the request and returns the internal resource's response to the attacker.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.