Description
Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. The plugin's source contained a comment block explicitly acknowledging that the request should be validated against allowed fediverse domains, but in 1.5.7 the validation only set a local $can_download_media flag that was never read. The full response body was echoed back to the caller, so this was a full-read SSRF / open proxy reachable by any anonymous visitor. This issue has been patched in version 1.5.8.
Published: 2026-06-11
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Fediverse Embeds WordPress plugin allows any unauthenticated visitor to send a base64‑encoded URL to a REST endpoint that forwards the request without domain validation. The plugin simply forwards the response body back to the caller, giving the attacker a full‑read Server‑Side Request Forgery or open proxy capability. An attacker could use this to probe internal networks, access sensitive information, or facilitate further attacks such as data exfiltration or credential theft.

Affected Systems

The vulnerability affects the stefanbohacek:fediverse-embeds-wordpress-plugin, specifically all releases before version 1.5.8. Versions 1.5.8 and later contain a proper domain validation guard that prevents unauthenticated media proxy requests.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is an unauthenticated HTTP request to the ftf/media-proxy REST route, which means any web visitor can invoke it. Once exploited, the attacker can retrieve arbitrary external resources through the compromised server, effectively turning the host into an open proxy.

Generated by OpenCVE AI on June 11, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fediverse Embeds plugin to version 1.5.8 or later.
  • If an upgrade is not immediately possible, block or remove the ftf/media‑proxy REST endpoint for unauthenticated users, or restrict access by adding capability checks to the route.
  • Configure the server or hosting environment to restrict outbound HTTP requests from the WordPress installation to a whitelist of trusted domains, mitigating the impact of the open proxy functionality.
  • Monitor and audit WordPress REST API logs for unexpected media‑proxy calls to detect possible exploitation attempts.

Generated by OpenCVE AI on June 11, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. The plugin's source contained a comment block explicitly acknowledging that the request should be validated against allowed fediverse domains, but in 1.5.7 the validation only set a local $can_download_media flag that was never read. The full response body was echoed back to the caller, so this was a full-read SSRF / open proxy reachable by any anonymous visitor. This issue has been patched in version 1.5.8.
Title Fediverse Embeds: Unauthenticated SSRF / open proxy via REST media-proxy endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:58:07.518Z

Reserved: 2026-05-15T23:26:58.308Z

Link: CVE-2026-46697

cve-icon Vulnrichment

Updated: 2026-06-11T18:57:56.991Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T18:16:25.957

Modified: 2026-06-11T20:59:55.650

Link: CVE-2026-46697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:30:28Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)