Description
The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-05-02
Score: 4.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a blind Server‑Side Request Forgery that exists in the Ona WordPress theme up to and including version 1.26. It originates from the ona_activate_child_theme routine and allows an authenticated user with administrator privileges to make arbitrary HTTP requests from the server. The attacker can use these requests to probe internal network resources or modify data on services accessible to the web application.

Affected Systems

WordPress sites running the Ona theme, any release through version 1.26. The vulnerability is present in all affected versions of the plugin, regardless of minor patch level, and requires administrator‑level authentication to trigger.

Risk and Exploitability

The CVSS score of 4.4 reflects a low‑to‑moderate severity for this SSRF. The EPSS score is not available, and the issue is not listed in CISA KEV. Attackers that can authenticate as administrators can exploit the blind SSRF to send requests to internal hosts, potentially exposing sensitive data or altering internal state. The vulnerability is hard to detect without monitoring outbound requests, but its impact on confidentiality and integrity can be substantial if internal services are reachable.

Generated by OpenCVE AI on May 2, 2026 at 10:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ona theme to a version released after 1.26 where the SSRF is fixed
  • If no update is available, deactivate or remove the Ona theme to eliminate the vulnerability
  • Restrict administrator‑level access to trusted users and implement least‑privilege on the WordPress installation

Generated by OpenCVE AI on May 2, 2026 at 10:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Deothemes
Deothemes ona
Wordpress
Wordpress wordpress
Vendors & Products Deothemes
Deothemes ona
Wordpress
Wordpress wordpress

Sat, 02 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Ona <= 1.26 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'download_link' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Deothemes Ona
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T05:29:27.066Z

Reserved: 2026-04-21T17:37:59.492Z

Link: CVE-2026-6812

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T06:16:04.337

Modified: 2026-05-02T06:16:04.337

Link: CVE-2026-6812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses