CVE-2026-3881
SSRF Vulnerability in Performance Monitor WordPress Plugin
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| performance_monitor | performance_monitor | to 1.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3881 is a vulnerability in the Performance Monitor WordPress plugin version 1.0.6 and earlier. The plugin does not validate a user-supplied parameter before making an HTTP request, which allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks.
Specifically, an attacker can send a crafted request to the pluginβs REST API endpoint `/wp-json/performance-monitor/v1/curl_data` with a manipulated `url` parameter. This causes the server to make a request to an arbitrary URL specified by the attacker.
This vulnerability is classified under CWE-918 (Server-Side Request Forgery) and has a medium severity CVSS score of 5.8.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to make the server perform HTTP requests to arbitrary URLs. This can lead to unauthorized access to internal resources or services that are not normally accessible from outside the network.
Potential impacts include information disclosure, bypassing network restrictions, or interacting with internal systems that could lead to further exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Performance Monitor WordPress plugin's REST API endpoint for Server-Side Request Forgery (SSRF) behavior.
A common method is to send a crafted HTTP request to the endpoint `/wp-json/performance-monitor/v1/curl_data` with a manipulated `url` parameter to see if the server makes an unintended request.
For example, you can use the following curl command to test if the server performs the SSRF:
- curl -v "https://example.com/wp-json/performance-monitor/v1/curl_data?url=http://127.0.0.1:8282"
If the server responds or behaves as if it has made a request to the internal address, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Currently, there is no known fix for this vulnerability in the Performance Monitor WordPress plugin.
Immediate mitigation steps include:
- Restrict access to the vulnerable REST API endpoint `/wp-json/performance-monitor/v1/curl_data` by limiting it to trusted users or IP addresses.
- Disable or remove the Performance Monitor plugin if it is not essential.
- Monitor network traffic for suspicious requests targeting the plugin's endpoint.
- Keep an eye on official plugin updates or security advisories for a patch or fix.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Performance Monitor WordPress plugin allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing internal resources or services. Such unauthorized access could lead to exposure or misuse of sensitive data.
This kind of vulnerability may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access or disclosure.
However, the provided information does not explicitly detail the direct effects on compliance or specific regulatory requirements.