Description
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-04-02
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling authenticated users to issue arbitrary web requests from the application
Action: Immediate Patch
AI Analysis

Impact

The Webmention WordPress plugin contains a flaw in its read function that will send HTTP requests to any URL supplied by the caller. An attacker who can authenticate to the site with at least Subscriber privileges can trigger this function, allowing the plugin to reach internal network services, retrieve sensitive data, or modify state on those services. This type of vulnerability falls under the Server‑Side Request Forgery weakness and can potentially expose confidential information or compromise internal interfaces.

Affected Systems

WordPress sites running the Webmention plugin from the developer pfefferle. Versions up to and including 5.6.2 are affected; all newer releases contain the fix.

Risk and Exploitability

The CVSS base score is 6.4, indicating a moderate severity. No EPSS data is currently available and the issue is not listed in the CISA KEV catalog. Attack requires the victim to be authenticated with Subscriber-level or higher access, after which the attacker can remotely influence outbound requests. While exploitation does not give direct code execution, it can bypass network segmentation and lead to data leakage or further internal attacks.

Generated by OpenCVE AI on April 2, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Webmention plugin to version 5.6.3 or later.
  • If an immediate update is not possible, remove the plugin or set its permissions so that Subscriber accounts cannot access the read function.
  • Monitor outgoing HTTP traffic from the WordPress instance for unexpected or unauthorized outbound requests.
  • Consider applying a web application firewall rule to block or inspect outbound requests originating from the Webmention plugin until the update can be applied.

Generated by OpenCVE AI on April 2, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Pfefferle
Pfefferle webmention
Wordpress
Wordpress wordpress
Vendors & Products Pfefferle
Pfefferle webmention
Wordpress
Wordpress wordpress

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Pfefferle Webmention
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:45.483Z

Reserved: 2026-01-07T19:31:01.518Z

Link: CVE-2026-0688

cve-icon Vulnrichment

Updated: 2026-04-02T13:23:38.518Z

cve-icon NVD

Status : Deferred

Published: 2026-04-02T08:16:28.057

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-0688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:15Z

Weaknesses