CVE-2026-12095 - Vulnerability Details

Description

The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints.

Published: 2026-06-24

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Kargo Takip WordPress plugin allows unauthenticated users to supply an arbitrary URL in the 'api_url' parameter. The plugin passes this value to a server‑side request function, fetches the response from the target, and echoes back the content of the 'auth' field from the JSON payload. This behavior creates an SSRF flaw that can be used to probe internal services, read sensitive data from local metadata endpoints, and potentially modify internal resources depending on the target service’s API. The impact includes confidentiality disclosure of internal state and possible integrity damage, as the attacker can influence internal services via the forged requests.

Affected Systems

WordPress installations running the Kargo Takip plugin version 1.2 or lower. Any site that has the plugin enabled is vulnerable regardless of user role, because the request path is publicly accessible.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate‑to‑high severity; however, no EPSS score is available, so current exploitation likelihood is unknown. The vulnerability is not listed in CISA KEV, suggesting no confirmed exploit in the wild yet. Attackers can trigger the flaw by sending a crafted GET or POST request to the exposed endpoint containing an arbitrary 'api_url'. The plugin lacks authentication checks, so any visitor can exploit it. Full exploitation requires only network connectivity from the web server to the target internal service, which is typically present in shared hosting environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bytuncay

Kargo Takip

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Kargo Takip plugin to the latest available version (above 1.2) or remove the plugin entirely if an update is not possible.
Apply a network firewall rule or server configuration that limits outbound connections from the web application to whitelisted external hosts, thereby blocking unintended internal service access.
Whitelist allowed endpoints within the plugin code so that only approved URLs can be requested, or patch the code to strip or validate the 'api_url' parameter before use.

Generated by OpenCVE AI on June 24, 2026 at 09:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0029.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L21
https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L28
https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L3
https://www.wordfence.com/threat-intel/vulnerabilities/id/79d91300-b6b7-4c3f-89b1-c48b9e47c415?source=cve

History

Wed, 24 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints.
Title		Kargo Takip <= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter
Weaknesses		CWE-918
References		https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L21 https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L28 https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L3 https://www.wordfence.com/threat-intel/vulnerabilities/id/79d91300-b6b7-4c3f-89b1-c48b9e47c415?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-24T05:33:26.614Z

Updated: 2026-06-24T05:33:26.614Z

Reserved: 2026-06-12T14:11:43.589Z

Link: CVE-2026-12095

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object