Impact
The Fediverse Embeds WordPress plugin versions prior to 1.5.8 fails to validate the destination of requests made by its media‑proxy endpoint, allowing unauthenticated users to instruct the server to fetch arbitrary URLs. This flaw enables a full‑read Server‑Side Request Forgery and effectively turns the site into an open proxy, exposing internal and private‑network resources to remote observers.
Affected Systems
The vulnerable product is the Fediverse Embeds plugin for WordPress, with all releases before 1.5.8 affected. No further variant or vendor information is present.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector, inferred from the description, is a web‑based request to the media‑proxy endpoint supplied by an unauthenticated user. An attacker can supply any URL, including internal or private‑network addresses, and retrieve the response body, thereby reading sensitive internal data.
OpenCVE Enrichment