CVE-2026-0686
Server-Side Request Forgery in WordPress Webmention Plugin
Publication date: 2026-04-02
Last updated on: 2026-04-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | webmention | to 5.6.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Webmention plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 5.6.2. This vulnerability exists in the 'MF2::parse_authorpage' function, which is called via the 'Receiver::post' function. It allows unauthenticated attackers to make web requests from the web application to arbitrary locations.
Essentially, an attacker can exploit this flaw to make the WordPress site send requests to internal or external services that the attacker normally could not access directly.
How can this vulnerability impact me? :
This vulnerability can have several impacts:
- Attackers can use the vulnerable WordPress site to send unauthorized requests to internal services, potentially exposing sensitive internal data.
- It can be used to query and modify information from internal services, leading to data leakage or unauthorized data manipulation.
- Because the attacker does not need to be authenticated, the attack surface is larger and easier to exploit.
- The vulnerability has a CVSS v3.1 base score of 7.2, indicating a high severity with impacts on confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Server-Side Request Forgery (SSRF) in the Webmention WordPress plugin versions up to 5.6.2, specifically in the MF2::parse_authorpage function via Receiver::post. Detection would involve monitoring for unusual outbound web requests originating from the WordPress application to arbitrary or internal network locations.
Since the vulnerability allows unauthenticated attackers to trigger web requests from the server, you can detect exploitation attempts by inspecting web server logs for POST requests to the Webmention endpoint, typically at /webmention/1.0/endpoint, with suspicious source or target URLs.
Suggested commands to detect potential exploitation attempts include:
- Using grep to find POST requests to the Webmention endpoint in web server logs: grep 'POST /webmention/1.0/endpoint' /var/log/apache2/access.log
- Searching for unusual or internal IP addresses in outbound connections from the web server: sudo netstat -tunp | grep php or sudo lsof -i -n -P | grep php
- Using curl or wget to test the Webmention endpoint manually by sending crafted POST requests with arbitrary source and target URLs to see if the server makes outbound requests.
Note: The provided resources do not include explicit detection commands or scripts, so these suggestions are based on the nature of the vulnerability and typical SSRF detection methods.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this Server-Side Request Forgery vulnerability in the Webmention WordPress plugin, the immediate step is to update the plugin to a version later than 5.6.2 where the vulnerability is fixed.
If an immediate update is not possible, consider disabling the Webmention functionality on your WordPress site or for specific posts by setting the 'webmentions_disabled' post meta to true, as the plugin supports disabling Webmentions per post.
Additionally, you can implement network-level restrictions to prevent the web server from making outbound HTTP requests to internal or unauthorized locations, thereby limiting the impact of SSRF.
Monitoring and filtering incoming requests to the Webmention endpoint to block suspicious or malformed requests can also help reduce exploitation risk.
Overall, the best mitigation is to apply the official patch or update the plugin to a secure version.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Webmention plugin allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF), enabling them to make web requests to arbitrary locations from the web application and potentially query or modify internal services.
Such unauthorized access and manipulation of internal services could lead to exposure or alteration of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.
However, the provided context and resources do not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards.