Description
The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the 'url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-06-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The URL Preview plugin for WordPress contains a Server‑Side Request Forgery flaw that allows unauthenticated attackers to specify any URL through the 'url' parameter. An attacker can cause the web application to send requests to arbitrary external or internal addresses, potentially exposing sensitive data, modifying internal services, or enabling further lateral movement. The vulnerability directly exploits a flaw in input validation (CWE‑918) that fails to restrict the scope of outbound requests.

Affected Systems

WordPress sites that have the URL Preview plugin installed, any version up to and including 1.0. The plugin is maintained by abhisheksaha11 and is exposed through its public interface.

Risk and Exploitability

The CVSS score of 7.2 categorizes the vulnerability as high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because authentication is not required, an attacker can target the issue from any external source, increasing the likelihood of exploitation. The SSRF nature allows the attacker to reach internal services that normally would not be exposed, creating a significant attack surface.

Generated by OpenCVE AI on June 24, 2026 at 09:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the URL Preview plugin to the latest version that removes the SSRF flaw.
  • If an upgrade is not possible, permanently disable or remove the plugin from the WordPress installation.
  • Configure the web server or a web‑application firewall to block outbound requests from the WordPress process to internal IP ranges, or restrict the 'url' parameter to a whitelist of allowed domains.

Generated by OpenCVE AI on June 24, 2026 at 09:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the 'url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title URL Preview <= 1.0 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:52:41.256Z

Reserved: 2026-06-12T14:20:00.585Z

Link: CVE-2026-12100

cve-icon Vulnrichment

Updated: 2026-06-24T12:52:37.299Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)