Description
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1.
Published: 2026-04-08
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to force the WordPress server running Nelio Content to send arbitrary HTTP requests to any target reachable from the internal network. This Server‑Side Request Forgery (CWE‑918) could expose sensitive internal services or data, and in some cases be used to pivot to further attacks. The impact is a potential breach of confidentiality and, if the application or network resources suffer denial of service from excessive requests, an availability threat as well.

Affected Systems

Nelio Software’s Nelio Content plugin is affected. All releases from the earliest version through 4.3.1 are vulnerable. No higher versions are mentioned as impacted.

Risk and Exploitability

The CVSS score of 4.9 places the issue in the moderate severity range, while the EPSS score of less than 1% indicates a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, so there is no confirmed exploitation activity recorded. Attackers would need to interact with the plugin’s exposed functionality, most likely through unauthenticated or low‑privilege web requests, to trigger the SSRF. No advanced exploit code is documented, but the basic SSRF path could be reused in multi‑stage attacks once the initial compromise is achieved.

Generated by OpenCVE AI on April 13, 2026 at 18:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Nelio Content to the latest release that addresses the SSRF flaw.
  • If an update is not available, uninstall or deactivate the Nelio Content plugin to remove the attack vector.
  • Review the WordPress installation for other vulnerable plugins and apply patches promptly.
  • Monitor outbound traffic for unexpected requests originating from the WordPress server to detect potential abuse.

Generated by OpenCVE AI on April 13, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Nelio Software
Nelio Software nelio Content
Wordpress
Wordpress wordpress
Vendors & Products Nelio Software
Nelio Software nelio Content
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1.
Title WordPress Nelio Content plugin <= 4.3.1 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Nelio Software Nelio Content
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-13T15:29:06.400Z

Reserved: 2026-04-07T10:48:03.414Z

Link: CVE-2026-39521

cve-icon Vulnrichment

Updated: 2026-04-13T15:28:54.560Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:25.793

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:53Z

Weaknesses