[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fz5OuuUPlHb5bEWdfqbRl9hOwnBqeXhWbzun8kWPHkUQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-46698","fediverse-embeds-unauthenticated-server-side-request-forgery-2","Fediverse Embeds \u003C= 1.5.7 - Unauthenticated Server-Side Request Forgery","The Fediverse Embeds plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.","fediverse-embeds",null,"\u003C=1.5.7","1.5.9","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-06-12 00:00:00","2026-06-18 13:11:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe2256157-e65f-46fb-b226-fa778ad3e69c?source=api-prod",7,[],"researched",false,3,"# Research Plan: CVE-2026-46698 - Fediverse Embeds SSRF\n\n## 1. Vulnerability Summary\nThe **Fediverse Embeds** plugin (versions \u003C= 1.5.7) is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)**. The plugin fails to sufficiently validate or sanitize user-provided URLs before using them in server-side HTTP requests, typically intended to fetch post metadata from Fediverse instances (e.g., Mastodon, Lemmy). An unauthenticated attacker can exploit this to make the WordPress server send requests to internal services, local network resources, or cloud metadata endpoints.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Likely an unauthenticated AJAX handler (`wp_ajax_nopriv_*`) or a REST API route (`\u002Fwp-json\u002F...`) registered without a `permission_callback`.\n*   **Vulnerable Parameter:** A parameter named `url`, `uri`, or `id` used to specify the remote Fediverse content.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. If the endpoint requires a nonce (even for logged-out users), the nonce must be extracted from the frontend.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers a handler for fetching Fediverse data during `init` or `rest_api_init`.\n2.  **Input Acquisition:** The handler retrieves a URL from `$_GET['url']` or a REST parameter.\n3.  **Processing:** The code likely attempts to validate if the URL looks like a Fediverse post but fails to block private IP ranges (e.g., `127.0.0.1`, `10.0.0.0\u002F8`, `169.254.169.254`).\n4.  **Sink:** The URL is passed to `wp_remote_get()` or a similar function (e.g., `file_get_contents` or `curl_exec`).\n5.  **Response:** The server returns the body of the internal request back to the attacker.\n\n## 4. Nonce Acquisition Strategy\nIf the plugin uses AJAX, it likely protects the unauthenticated endpoint with a nonce.\n1.  **Identify Shortcode:** Search for `add_shortcode` in the plugin (e.g., `[fediverse-embed]`).\n2.  **Identify JS Variable:** Look for `wp_localize_script` calls. Common patterns in this plugin family use variable names like `fediverseEmbeds` or `fediverse_params`.\n3.  **Action Plan:**\n    *   Create a test post with the shortcode: `wp post create --post_type=page --post_status=publish --post_content='[fediverse-embed url=\"https:\u002F\u002Fmastodon.social\u002F@example\u002F123\"]'`\n    *   Navigate to the page using `browser_navigate`.\n    *   Extract the nonce: `browser_eval(\"window.fediverse_params?.nonce\")` (inferred variable name).\n\n## 5. Exploitation Strategy\nThe goal is to force the server to request a local resource (loopback).\n\n**Request Details:**\n*   **Tool:** `http_request`\n*   **Method:** POST (or GET depending on the handler)\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL-encoded):**\n    *   `action`: (inferred) `fediverse_embed_get_data` or `fetch_fediverse_post`\n    *   `nonce`: `[EXTRACTED_NONCE]`\n    *   `url`: `http:\u002F\u002F127.0.0.1:80\u002F` (Targeting the local webserver) or `http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F` (if in AWS).\n\n**Payload example (REST):**\n*   **Method:** GET\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Ffediverse-embeds\u002Fv1\u002Ffetch?url=http:\u002F\u002F127.0.0.1:80\u002F`\n\n## 6. Test Data Setup\n1.  **Activate Plugin:** `wp plugin activate fediverse-embeds`\n2.  **Determine Entry Point:** \n    *   `grep -rn \"wp_ajax_nopriv\" .`\n    *   `grep -rn \"register_rest_route\" .`\n3.  **Create Nonce Source:** If a nonce is required, create a page with the shortcode identified in step 4.\n\n## 7. Expected Results\n*   **Success:** The response body from `http_request` contains the HTML\u002FJSON of the internal service (e.g., the WordPress homepage or directory listing if targeting `http:\u002F\u002F127.0.0.1`).\n*   **Vulnerability Confirmation:** The server does not return a \"Forbidden\" or \"Invalid URL\" error when requesting local IP addresses.\n\n## 8. Verification Steps\n1.  **Log Check:** Check the web server access logs to confirm the request originated from the server's own IP address to itself.\n2.  **Code Audit (Post-Exploit):** Verify the sink in the plugin code:\n    ```bash\n    grep -rn \"wp_remote_get\" wp-content\u002Fplugins\u002Ffediverse-embeds\u002F\n    ```\n    Confirm if the URL passed to this function is directly derived from user input without IP blacklisting.\n\n## 9. Alternative Approaches\n*   **Protocol Smuggling:** If `wp_remote_get` is used, try other protocols like `file:\u002F\u002F` (though WordPress usually restricts this to `http\u002Fs`).\n*   **DNS Rebinding:** If the plugin resolves the hostname before fetching, attempt to use a DNS rebinding service to bypass simple IP checks.\n*   **Alternative Endpoints:** Check if the SSRF exists in the \"Settings\" page or \"OEmbed\" handlers if the unauthenticated AJAX handler is not found.","The Fediverse Embeds plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) in versions up to and including 1.5.7. This occurs because the plugin fails to validate user-supplied URLs before performing server-side HTTP requests, allowing attackers to probe internal services and access restricted network resources or cloud metadata.","The exploit methodology involves identifying the plugin's AJAX or REST API endpoint used for fetching Fediverse post data. An attacker sends a request to this endpoint (e.g., via a 'url' parameter) and provides a target address within the internal network or local loopback (such as 127.0.0.1 or cloud metadata IP). If the endpoint requires a nonce for unauthenticated users, the attacker first extracts this token from the frontend script variables or HTML source where the plugin's shortcode is rendered. The server then executes the request and returns the internal resource's response to the attacker.","gemini-3-flash-preview","2026-06-26 00:49:18","2026-06-26 00:49:52",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","1.5.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffediverse-embeds\u002Ftags\u002F1.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffediverse-embeds.1.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffediverse-embeds\u002Ftags"]