Description
The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks
Published: 2026-03-31
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated blind SSRF
Action: Patch immediately
AI Analysis

Impact

The vulnerability in the Performance Monitor WordPress plugin up to version 1.0.6 occurs because the plugin does not validate a request parameter before making an outbound HTTP request. An unauthenticated user can supply a crafted URL, causing the plugin to fetch resources on behalf of the server. The response is not returned to the attacker, making the SSRF blind, but the attacker can still force the server to contact internal or external resources, potentially exfiltrating data or triggering unauthorized actions.

Affected Systems

WordPress sites that install the Performance Monitor plugin with a version of 1.0.6 or earlier. The plugin vendor is unknown; all installations of the affected plugin are susceptible.

Risk and Exploitability

The CVSS base score of 5.8 indicates moderate severity. The EPSS score is below 1 %, suggesting that real‑world exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw is exploitable without authentication and can be triggered via a simple HTTP request, administrators should regard it as a medium risk within their environment. An attacker could manipulate the server to access internal network resources or leak sensitive data through outbound requests.

Generated by OpenCVE AI on March 31, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Performance Monitor plugin to version 1.0.7 or later as soon as possible.
  • If an immediate update is not possible, temporarily block external requests from the plugin's endpoint using a firewall or redirect the request to a restricted interface.
  • Monitor server logs for unexpected outbound HTTP requests originating from the plugin.

Generated by OpenCVE AI on March 31, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Performance Monitor
Performance Monitor performance Monitor
Wordpress
Wordpress wordpress
Vendors & Products Performance Monitor
Performance Monitor performance Monitor
Wordpress
Wordpress wordpress

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks
Title Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF
References

Subscriptions

Performance Monitor Performance Monitor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:58.231Z

Reserved: 2026-03-10T13:33:15.768Z

Link: CVE-2026-3881

cve-icon Vulnrichment

Updated: 2026-03-31T14:54:16.774Z

cve-icon NVD

Status : Deferred

Published: 2026-03-31T07:16:12.283

Modified: 2026-04-15T15:05:47.827

Link: CVE-2026-3881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:28Z

Weaknesses