Description
The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux_p AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint (wp_ajax_nopriv_redux_p) that is accessible to unauthenticated users. The proxy() method in the Redux_P class takes a URL directly from $_GET['url'] without any validation (the regex is set to /.*/ which matches all URLs) and passes it to wp_remote_request(), which does not have built-in SSRF protection like wp_safe_remote_request(). There is no authentication check, no nonce verification, and no URL restriction. The response from the requested URL is then returned to the attacker, making this a full-read SSRF. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal network ports, or interact with cloud metadata endpoints.
Published: 2026-03-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Server-Side Request Forgery
Action: Patch Now
AI Analysis

Impact

The Content Syndication Toolkit plugin for WordPress contains a Server‑Side Request Forgery vulnerability that allows attackers to trigger any HTTP request from the web server. The vulnerable endpoint (wp_ajax_nopriv_redux_p) accepts a 'url' parameter from the query string, passes it directly to WordPress’s wp_remote_request() function without validation, and returns the response to the caller. Because no authentication, nonce, or URL whitelisting is enforced, an unauthenticated user can read the content of arbitrary internal or external resources, including cloud metadata endpoints or protected internal services. This can lead to information disclosure, internal network discovery, or potential further exploitation of downstream services.

Affected Systems

This weakness exists in all releases of the Content Syndication Toolkit plugin for WordPress up to and including version 1.3, which is distributed by the vendor benmoody. Any WordPress site that has a vulnerable copy of this plugin installed is at risk.

Risk and Exploitability

The CVSS score of 7.2 reflects a moderate to high risk due to the lack of authentication and input validation. Exploitation requires only an unauthenticated HTTP request to the exposed AJAX endpoint; no special conditions are needed. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Consequently, the likelihood of exploitation remains moderate to high in environments where the plugin is active and exposed to the internet.

Generated by OpenCVE AI on March 21, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Content Syndication Toolkit plugin to the latest version that removes the SSRF flaw.
  • If an immediate update is not possible, permanently disable or remove the plugin from the WordPress installation.
  • If the plugin must remain temporarily, block access to the wp_ajax_nopriv_redux_p endpoint via the web‑application firewall or server configuration to prevent unauthenticated requests.
  • Monitor WordPress logs for unexpected requests to the 'redux_p' AJAX action and investigate any suspicious activity.

Generated by OpenCVE AI on March 21, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Benmoody
Benmoody content Syndication Toolkit
Wordpress
Wordpress wordpress
Vendors & Products Benmoody
Benmoody content Syndication Toolkit
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux_p AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint (wp_ajax_nopriv_redux_p) that is accessible to unauthenticated users. The proxy() method in the Redux_P class takes a URL directly from $_GET['url'] without any validation (the regex is set to /.*/ which matches all URLs) and passes it to wp_remote_request(), which does not have built-in SSRF protection like wp_safe_remote_request(). There is no authentication check, no nonce verification, and no URL restriction. The response from the requested URL is then returned to the attacker, making this a full-read SSRF. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal network ports, or interact with cloud metadata endpoints.
Title Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Benmoody Content Syndication Toolkit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:55.989Z

Reserved: 2026-03-03T13:53:57.074Z

Link: CVE-2026-3478

cve-icon Vulnrichment

Updated: 2026-03-23T15:52:26.812Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:25.807

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-3478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:21Z

Weaknesses