The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.
Metrics
Affected Vendors & Products
References
History
Thu, 09 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Thu, 09 Jul 2026 07:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy. | |
| Title | Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Media Proxy | |
| References |
|
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-09T14:46:12.813Z
Reserved: 2026-06-17T12:41:37.963Z
Link: CVE-2026-12516
Updated: 2026-07-09T14:46:08.822Z
No data.
No data.
OpenCVE Enrichment
No data.