Description
Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0.
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Upgrade
AI Analysis

Impact

The Podigee plugin contains an SSRF flaw that allows a malicious actor to craft a request that the plugin will forward to an arbitrary URL. When triggered, the plugin may contact internal or external services, potentially leaking sensitive data or enabling further attacks. The weakness is classified as CWE‑918, indicating that untrusted input is used to build a request URL without sufficient validation.

Affected Systems

Any WordPress site that has the Podigee plugin installed with a version up to and including 1.4.0 is affected. All releases prior to 1.4.0 meet the criteria described in the advisory. No specific build or configuration limits are cited.

Risk and Exploitability

The CVSS score of 5.4 denotes medium severity, and the EPSS score of less than 1% suggests that exploitation is unlikely in the wild. Because the plugin initiates outbound HTTP requests in response to user‑supplied input, the attack vector is inferred to be remote and requires access to the WordPress administrative interface or direct manipulation of the plugin’s configuration. The vulnerability is not listed in CISA’s KEV catalog, indicating that publicly known exploits have not yet been documented.

Generated by OpenCVE AI on April 13, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Podigee plugin to a version newer than 1.4.0
  • If an upgrade cannot be applied immediately, disable or delete the plugin from the WordPress installation
  • After upgrading, confirm that the plugin no longer accepts arbitrary URLs for outbound requests and monitor outbound traffic for anomalous behavior

Generated by OpenCVE AI on April 13, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Podigee
Podigee podigee
Wordpress
Wordpress wordpress
Vendors & Products Podigee
Podigee podigee
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0.
Title WordPress Podigee plugin <= 1.4.0 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Podigee Podigee
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.201Z

Reserved: 2026-04-07T10:58:16.464Z

Link: CVE-2026-39695

cve-icon Vulnrichment

Updated: 2026-04-13T19:09:26.866Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:41.910

Modified: 2026-04-24T18:05:35.730

Link: CVE-2026-39695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:28Z

Weaknesses