Description
Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions.
Published: 2026-06-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The utm.codes WordPress plugin through version 1.9.0 contains an SSRF flaw that allows external hosts to craft arbitrary outbound HTTP requests from the infected web server. This weakness can be leveraged to probe internal network resources, download sensitive data or further pivot into protected environments. The CVSS score of 6.4 indicates a moderate to high severity level and represents a risk to confidentiality and integrity of internal systems.

Affected Systems

The vulnerability affects the WordPress utm.codes plugin developed by Chris Carlevato, with all releases up to and including version 1.9.0 being vulnerable. WordPress sites that have any of these plugin versions installed are at risk when the plugin processes user‑supplied data to generate requests.

Risk and Exploitability

Because the plugin accepts user supplied data for request targets, the flaw falls under CWE‑918 and is typically exploitable by an attacker who can invoke the plugin’s request routine. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. With a CVSS of 6.4, the vulnerability is moderately likely to be targeted; attackers can use the SSRF to reach internal services, potentially facilitating further compromise. The attack does not require any special privileges beyond the ability to interface with the plugin’s functionality.

Generated by OpenCVE AI on June 26, 2026 at 16:44 UTC.

Remediation

Vendor Solution

Update the WordPress utm.codes plugin to the latest available version (at least 1.9.1).

OpenCVE Recommended Actions

  • Upgrade the utm.codes WordPress plugin to version 1.9.1 or later to eliminate the SSRF flaw.
  • If an immediate update cannot be deployed, deactivate or uninstall the utm.codes plugin to remove the vulnerable code path from the site.
  • Enforce network segmentation or firewall rules that block outbound HTTP traffic from the web server to internal IP ranges as a temporary mitigating control.

Generated by OpenCVE AI on June 26, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions.
Title WordPress utm.codes plugin <= 1.9.0 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:35:36.189Z

Reserved: 2026-06-18T14:37:29.429Z

Link: CVE-2026-56026

cve-icon Vulnrichment

Updated: 2026-06-26T15:35:32.278Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:45:03Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)