CVE-2026-28036 - Vulnerability Details

- WordPress Ratatouille theme <= 1.2.6 - Server Side Request Forgery (SSRF) vulnerability

Description

Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through <= 1.2.6.

Published: 2026-03-05

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Server Side Request Forgery (SSRF) flaw exists in the SkatDesign Ratatouille WordPress theme through version 1.2.6. The vulnerability permits a malicious actor to cause the theme to initiate HTTP requests on behalf of the server, potentially accessing internal network resources or sensitive data. This weakness can expose confidential information or serve as a stepping‑stone for further exploits against internal services, depending on the configuration of the target environment.

Affected Systems

The vulnerability affects the WordPress Ratatouille theme from the earliest released builds up to and including version 1.2.6. All installations using SkatDesign Ratatouille theme on WordPress platforms that have not upgraded past 1.2.6 are potentially exposed.

Risk and Exploitability

The CVSS score is 6.4, indicating a medium severity. The EPSS score is lower than 1%, suggesting that exploitation is unlikely to be widespread, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a crafted request to a WordPress page that triggers the theme’s request handler, which then issues back‑end traffic. Exploitation does not appear to require privileged access, but the attacker must be able to deliver a request to the vulnerable site. The lack of a publicly posted exploit and the low EPSS render the risk moderate, though mitigating the issue remains advisable for environments that expose sensitive internal networks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SkatDesign

Ratatouille

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2.6

No data.

Vendor Product Confidence Versions

Skatdesign

Ratatouille

100%

Version	Status	Scheme	Platform
`[0,1.2.6]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Ratatouille theme to the latest available version (1.2.7 or later) if such an update exists and includes an SSRF fix.
If no patch is available, remove or disable the Ratatouille theme from the WordPress installation.
Implement input validation and whitelist checks on any outbound HTTP requests made by WordPress plugins or themes; restrict requests to approved external hosts and block private IP ranges such as 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12.
Deploy a Web Application Firewall rule that blocks internal network requests or requests to localhost and private network ranges.
Periodically scan the web application for open SSRF endpoints and update the configuration accordingly.

Generated by OpenCVE AI on April 15, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/ratatouille/vulnerability/wordpress-ratatouille-theme-1-2-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve

History

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Skatdesign Skatdesign ratatouille Wordpress Wordpress wordpress
Vendors & Products		Skatdesign Skatdesign ratatouille Wordpress Wordpress wordpress

Thu, 05 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through <= 1.2.6.
Title		WordPress Ratatouille theme <= 1.2.6 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses		CWE-918
References		https://patchstack.com/database/Wordpress/Theme/ratatouille/vulnerability/wordpress-ratatouille-theme-1-2-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve

Subscriptions

Skatdesign Ratatouille

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-05T05:54:14.141Z

Updated: 2026-04-01T14:15:28.772Z

Reserved: 2026-02-25T12:13:25.489Z

Link: CVE-2026-28036

Vulnrichment

Updated: 2026-03-05T20:50:33.326Z

NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:36.473

Modified: 2026-03-05T21:16:18.603

Link: CVE-2026-28036

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T23:15:17Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object