Description
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-04-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The affected Webmention plugin allows unauthenticated attackers to trigger server‑side requests to arbitrary URLs through the MF2::parse_authorpage routine that runs during the Receiver::post handling. This form of SSRF can expose internal network resources, read sensitive data, or modify internal services, thereby compromising confidentiality and integrity of the host and any linked systems. The underlying weakness is identified as CWE‑918, a classic SSRF flaw where an attacker provides a crafted URL that the server fetches.

Affected Systems

The vulnerability is present in all Webmention plugin releases up to and including version 5.6.2, which is used within WordPress sites. Site administrators running these versions should verify plugin versioning and promptly apply an update that removes the vulnerable parse_authorpage call.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity. Although an EPSS score is not available, the absence of a known exploit in KEV suggests that exploitation may not yet be widespread, yet the unauthenticated nature and potential to access internal services make it a priority. Attackers would likely perform a POST request to the Webmention endpoint with a malicious URL; if the target system follows that URL, internal data may be disclosed or altered. Given the public availability of the code paths, successful exploitation is considered feasible in the intended environment.

Generated by OpenCVE AI on April 2, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Webmention plugin to any release newer than 5.6.2, which removes the vulnerable MF2::parse_authorpage call.
  • Verify the update has installed the correct file and configuration by checking the plugin’s change log or source; ensure that the Receiver::post handler no longer invokes the SSRF vector.
  • If an immediate update is not possible, consider disabling the Webmention functionality or restricting outbound HTTP requests from the WordPress installation through firewall rules or web‑application firewall settings to mitigate unwanted SSRF traffic.

Generated by OpenCVE AI on April 2, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Pfefferle
Pfefferle webmention
Wordpress
Wordpress wordpress
Vendors & Products Pfefferle
Pfefferle webmention
Wordpress
Wordpress wordpress

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Pfefferle Webmention
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:21.028Z

Reserved: 2026-01-07T19:18:17.788Z

Link: CVE-2026-0686

cve-icon Vulnrichment

Updated: 2026-04-02T13:45:05.733Z

cve-icon NVD

Status : Deferred

Published: 2026-04-02T08:16:27.850

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-0686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:14Z

Weaknesses