Fediverse Embeds <= 1.5.7 - Unauthenticated Server-Side Request Forgery
Description
The Fediverse Embeds plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.5.7Source Code
WordPress.org SVNPatched version not available.
# Research Plan: CVE-2026-46698 - Fediverse Embeds SSRF ## 1. Vulnerability Summary The **Fediverse Embeds** plugin (versions <= 1.5.7) is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)**. The plugin fails to sufficiently validate or sanitize user-provided URLs before using them…
Show full research plan
Research Plan: CVE-2026-46698 - Fediverse Embeds SSRF
1. Vulnerability Summary
The Fediverse Embeds plugin (versions <= 1.5.7) is vulnerable to Unauthenticated Server-Side Request Forgery (SSRF). The plugin fails to sufficiently validate or sanitize user-provided URLs before using them in server-side HTTP requests, typically intended to fetch post metadata from Fediverse instances (e.g., Mastodon, Lemmy). An unauthenticated attacker can exploit this to make the WordPress server send requests to internal services, local network resources, or cloud metadata endpoints.
2. Attack Vector Analysis
- Endpoint: Likely an unauthenticated AJAX handler (
wp_ajax_nopriv_*) or a REST API route (/wp-json/...) registered without apermission_callback. - Vulnerable Parameter: A parameter named
url,uri, oridused to specify the remote Fediverse content. - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. If the endpoint requires a nonce (even for logged-out users), the nonce must be extracted from the frontend.
3. Code Flow (Inferred)
- Entry Point: The plugin registers a handler for fetching Fediverse data during
initorrest_api_init. - Input Acquisition: The handler retrieves a URL from
$_GET['url']or a REST parameter. - Processing: The code likely attempts to validate if the URL looks like a Fediverse post but fails to block private IP ranges (e.g.,
127.0.0.1,10.0.0.0/8,169.254.169.254). - Sink: The URL is passed to
wp_remote_get()or a similar function (e.g.,file_get_contentsorcurl_exec). - Response: The server returns the body of the internal request back to the attacker.
4. Nonce Acquisition Strategy
If the plugin uses AJAX, it likely protects the unauthenticated endpoint with a nonce.
- Identify Shortcode: Search for
add_shortcodein the plugin (e.g.,[fediverse-embed]). - Identify JS Variable: Look for
wp_localize_scriptcalls. Common patterns in this plugin family use variable names likefediverseEmbedsorfediverse_params. - Action Plan:
- Create a test post with the shortcode:
wp post create --post_type=page --post_status=publish --post_content='[fediverse-embed url="https://mastodon.social/@example/123"]' - Navigate to the page using
browser_navigate. - Extract the nonce:
browser_eval("window.fediverse_params?.nonce")(inferred variable name).
- Create a test post with the shortcode:
5. Exploitation Strategy
The goal is to force the server to request a local resource (loopback).
Request Details:
- Tool:
http_request - Method: POST (or GET depending on the handler)
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Body (URL-encoded):
action: (inferred)fediverse_embed_get_dataorfetch_fediverse_postnonce:[EXTRACTED_NONCE]url:http://127.0.0.1:80/(Targeting the local webserver) orhttp://169.254.169.254/latest/meta-data/(if in AWS).
Payload example (REST):
- Method: GET
- URL:
http://localhost:8080/wp-json/fediverse-embeds/v1/fetch?url=http://127.0.0.1:80/
6. Test Data Setup
- Activate Plugin:
wp plugin activate fediverse-embeds - Determine Entry Point:
grep -rn "wp_ajax_nopriv" .grep -rn "register_rest_route" .
- Create Nonce Source: If a nonce is required, create a page with the shortcode identified in step 4.
7. Expected Results
- Success: The response body from
http_requestcontains the HTML/JSON of the internal service (e.g., the WordPress homepage or directory listing if targetinghttp://127.0.0.1). - Vulnerability Confirmation: The server does not return a "Forbidden" or "Invalid URL" error when requesting local IP addresses.
8. Verification Steps
- Log Check: Check the web server access logs to confirm the request originated from the server's own IP address to itself.
- Code Audit (Post-Exploit): Verify the sink in the plugin code:
Confirm if the URL passed to this function is directly derived from user input without IP blacklisting.grep -rn "wp_remote_get" wp-content/plugins/fediverse-embeds/
9. Alternative Approaches
- Protocol Smuggling: If
wp_remote_getis used, try other protocols likefile://(though WordPress usually restricts this tohttp/s). - DNS Rebinding: If the plugin resolves the hostname before fetching, attempt to use a DNS rebinding service to bypass simple IP checks.
- Alternative Endpoints: Check if the SSRF exists in the "Settings" page or "OEmbed" handlers if the unauthenticated AJAX handler is not found.
Summary
The Fediverse Embeds plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) in versions up to and including 1.5.7. This occurs because the plugin fails to validate user-supplied URLs before performing server-side HTTP requests, allowing attackers to probe internal services and access restricted network resources or cloud metadata.
Exploit Outline
The exploit methodology involves identifying the plugin's AJAX or REST API endpoint used for fetching Fediverse post data. An attacker sends a request to this endpoint (e.g., via a 'url' parameter) and provides a target address within the internal network or local loopback (such as 127.0.0.1 or cloud metadata IP). If the endpoint requires a nonce for unauthenticated users, the attacker first extracts this token from the frontend script variables or HTML source where the plugin's shortcode is rendered. The server then executes the request and returns the internal resource's response to the attacker.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.