Description
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.
Published: 2026-07-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Fediverse Embeds WordPress plugin versions prior to 1.5.8 fails to validate the destination of requests made by its media‑proxy endpoint, allowing unauthenticated users to instruct the server to fetch arbitrary URLs. This flaw enables a full‑read Server‑Side Request Forgery and effectively turns the site into an open proxy, exposing internal and private‑network resources to remote observers.

Affected Systems

The vulnerable product is the Fediverse Embeds plugin for WordPress, with all releases before 1.5.8 affected. No further variant or vendor information is present.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector, inferred from the description, is a web‑based request to the media‑proxy endpoint supplied by an unauthenticated user. An attacker can supply any URL, including internal or private‑network addresses, and retrieve the response body, thereby reading sensitive internal data.

Generated by OpenCVE AI on July 9, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fediverse Embeds plugin to version 1.5.8 or later to remove the unauthenticated SSRF flaw.
  • Restrict outbound network traffic from the WordPress installation, using firewall rules or application settings, to prevent the server from providing proxy access to internal resources.
  • Deploy a web application firewall or security plugin to block unauthenticated users from invoking the media‑proxy endpoint.

Generated by OpenCVE AI on July 9, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918

Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.
Title Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Media Proxy
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-09T14:46:12.813Z

Reserved: 2026-06-17T12:41:37.963Z

Link: CVE-2026-12516

cve-icon Vulnrichment

Updated: 2026-07-09T14:46:08.822Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T23:15:07Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)