CVE-2026-1648
Received Received - Intake
Server-Side Request Forgery in WordPress Performance Monitor Plugin Enables RCE

Publication date: 2026-03-21

Last updated on: 2026-03-23

Assigner: Wordfence

Description
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1648
EUVD
EUVD-2026-14167
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wpperformance performance_monitor to 1.0.6 (inc)
wordfence performance_monitor to 1.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Performance Monitor plugin for WordPress, up to version 1.0.6, contains a Server-Side Request Forgery (SSRF) vulnerability. This occurs because the plugin does not properly validate the 'url' parameter in its REST API endpoint '/wp-json/performance-monitor/v1/curl_data'.

An unauthenticated attacker can exploit this flaw to make the server send web requests to arbitrary locations, including internal network services, using protocols like Gopher. This can be further chained with vulnerable internal services such as Redis to achieve Remote Code Execution (RCE).

Impact Analysis

This vulnerability allows attackers to make unauthorized requests from your server to arbitrary internal or external locations. This can lead to several serious impacts:

  • Access to internal network services that are not normally exposed externally.
  • Potential Remote Code Execution by chaining the SSRF with vulnerable services like Redis.
  • Data exfiltration or unauthorized internal reconnaissance.
  • Compromise of internal infrastructure and escalation of privileges within the network.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability exists in the Performance Monitor WordPress plugin versions up to 1.0.6, specifically in the REST API endpoint '/wp-json/performance-monitor/v1/curl_data' where the 'url' parameter is insufficiently validated, allowing Server-Side Request Forgery (SSRF). Detection can focus on monitoring or testing this endpoint for SSRF behavior."}, {'type': 'paragraph', 'content': 'Since the plugin uses cURL requests internally to fetch and analyze URLs, one detection approach is to send crafted requests to the vulnerable REST API endpoint with URLs targeting internal or sensitive services, including those using the Gopher protocol, and observe if the server makes those requests.'}, {'type': 'paragraph', 'content': "Commands to test this could include sending HTTP POST or GET requests to the endpoint with the 'url' parameter set to internal IP addresses or services, for example using curl:"}, {'type': 'list_item', 'content': "curl -X POST 'https://target-site.com/wp-json/performance-monitor/v1/curl_data' -d 'url=http://127.0.0.1:6379'"}, {'type': 'list_item', 'content': "curl -X POST 'https://target-site.com/wp-json/performance-monitor/v1/curl_data' -d 'url=gopher://127.0.0.1:6379/_COMMANDS'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring logs for unusual outbound requests from the server to internal IPs or unexpected protocols (like gopher) can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'For more advanced detection, leveraging SSRF detection techniques such as SSRF canaries or side-channel timing analysis as described in SSRF exploitation resources can be useful.'}] [1, 2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Update the Performance Monitor WordPress plugin to a version later than 1.0.6 where this vulnerability is fixed, if available.'}, {'type': 'list_item', 'content': "If an update is not immediately available, disable or restrict access to the vulnerable REST API endpoint '/wp-json/performance-monitor/v1/curl_data' to prevent unauthenticated access."}, {'type': 'list_item', 'content': 'Implement network-level controls such as firewall rules to block outgoing requests from the web server to internal services or dangerous protocols like Gopher.'}, {'type': 'list_item', 'content': 'Monitor server logs for suspicious requests to the vulnerable endpoint or unusual outbound connections.'}, {'type': 'list_item', 'content': 'Consider applying Web Application Firewall (WAF) rules to detect and block SSRF payloads targeting this endpoint.'}, {'type': 'paragraph', 'content': "Long-term mitigation involves improving input validation on the 'url' parameter to restrict allowed protocols and destinations, preventing SSRF exploitation."}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart