Description
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.
Published: 2026-05-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Independent Analytics plugin for WordPress contains an unauthenticated Server‑Side Request Forgery vulnerability. A public tracking endpoint accepts a referrer_url parameter that, when signed with an insufficiently protected signature, causes the plugin’s scheduled job to download favicons using raw cURL calls. This allows an attacker to inject a malicious domain, resulting in the server making requests to arbitrary hosts, including internal network services. This flaw exposes the site to data exfiltration, credential abuse, or pivoting into private resources.

Affected Systems

All deployments of the Independent Analytics WordPress analytics plugin up to and including version 2.14.9 are affected. The vulnerability exists across all WordPress installations that have this plugin installed.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity flaw. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network‑based, with unauthenticated users able to trigger requests by making HTTP calls to the /wp-json/iawp/search endpoint. Because the plugin uses raw cURL functions without SSRF mitigation, exploitation requires only the crafted request payload; no special privileges are needed.

Generated by OpenCVE AI on May 28, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Independent Analytics plugin to a version newer than 2.14.9 where the tracking route and favicon fetcher are removed or properly protected.
  • If an upgrade is not immediately possible, disable the plugin’s tracking endpoint or the favicon fetcher feature to eliminate the SSRF vector.
  • Configure a web application firewall or access control rule to restrict requests to the /wp-json/iawp/search route to authenticated users only or block the route entirely if not required.

Generated by OpenCVE AI on May 28, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.
Title Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Tracking Route
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:37:59.279Z

Reserved: 2026-04-07T13:36:41.592Z

Link: CVE-2026-5737

cve-icon Vulnrichment

Updated: 2026-05-28T10:37:54.699Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T05:16:38.100

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-5737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:30:06Z

Weaknesses