Description
Server-Side Request Forgery (SSRF) vulnerability in Brecht Visual Link Preview visual-link-preview allows Server Side Request Forgery.This issue affects Visual Link Preview: from n/a through <= 2.3.0.
Published: 2026-04-08
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Patch Immediately
AI Analysis

Impact

The Visual Link Preview plugin exposes an SSRF flaw that lets an attacker cause the server to make arbitrary HTTP requests. The vulnerability is based on CWE‑918 and can lead to unauthorized access to internal resources, data leaks, or further compromise of the hosting environment. The flaw would allow malicious endpoints to be contacted without any restriction, potentially exposing confidential system details to an attacker.

Affected Systems

WordPress sites that have the Brecht Visual Link Preview plugin installed at version 2.3.0 or earlier are affected. Any site using that plugin, regardless of its WordPress core version, could be vulnerable.

Risk and Exploitability

The CVSS score of 6.0 indicates medium severity. An EPSS score of less than 1% suggests that exploitation is currently unlikely in the broader ecosystem. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s link preview feature, which can be triggered by users who can supply arbitrary URLs. Exploitation would require the attacker to supply a crafted URL that redirects the server to an internal or otherwise unintended target.

Generated by OpenCVE AI on April 9, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Visual Link Preview plugin to version 2.3.1 or later.
  • If an upgrade is not possible, deactivate the plugin until a patched version is released.
  • Verify that outbound requests are monitored or restricted to trusted destinations.

Generated by OpenCVE AI on April 9, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Brecht
Brecht visual Link Preview
Wordpress
Wordpress wordpress
Vendors & Products Brecht
Brecht visual Link Preview
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Brecht Visual Link Preview visual-link-preview allows Server Side Request Forgery.This issue affects Visual Link Preview: from n/a through <= 2.3.0.
Title WordPress Visual Link Preview plugin <= 2.3.0 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Brecht Visual Link Preview
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.910Z

Reserved: 2026-04-07T10:57:59.671Z

Link: CVE-2026-39670

cve-icon Vulnrichment

Updated: 2026-04-09T15:01:43.640Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:38.423

Modified: 2026-04-24T18:06:04.160

Link: CVE-2026-39670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:37Z

Weaknesses