CVE-2026-5737
Received Received - Intake
Server-Side Request Forgery in Independent Analytics WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-5737
EUVD
EUVD-2026-32702
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
independent_analytics independent_analytics_plugin to 2.14.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Independent Analytics plugin for WordPress has a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 2.14.9. This occurs because the plugin has a public tracking route (/wp-json/iawp/search) that accepts attacker-controlled referrer_url values when a signature matches. However, the signature validation is weak since the signature is embedded in publicly accessible JavaScript and the salt used is static per site, allowing attackers to extract valid signatures.

Additionally, the plugin includes a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains without any SSRF protections such as localhost blocking or private network filtering. This means unauthenticated attackers can inject malicious referrer domains into the database and cause the server to make requests to arbitrary hosts, including internal services.


How can this vulnerability impact me? :

This vulnerability can allow unauthenticated attackers to make the server perform requests to arbitrary hosts, including internal network services that are normally inaccessible from outside. This can lead to information disclosure, unauthorized access to internal resources, or further exploitation of internal services.

Because the attacker can inject malicious referrer domains and trigger server-side requests, it may also be possible to use this as a pivot point for additional attacks within the internal network.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart