CVE-2026-5737
Deferred Deferred - Pending Action
Server-Side Request Forgery in Independent Analytics WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-5737
EUVD
EUVD-2026-32702
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
independent_analytics independent_analytics_plugin to 2.14.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Independent Analytics plugin for WordPress has a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 2.14.9. This occurs because the plugin has a public tracking route (/wp-json/iawp/search) that accepts attacker-controlled referrer_url values when a signature matches. However, the signature validation is weak since the signature is embedded in publicly accessible JavaScript and the salt used is static per site, allowing attackers to extract valid signatures.

Additionally, the plugin includes a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains without any SSRF protections such as localhost blocking or private network filtering. This means unauthenticated attackers can inject malicious referrer domains into the database and cause the server to make requests to arbitrary hosts, including internal services.

Impact Analysis

This vulnerability can allow unauthenticated attackers to make the server perform requests to arbitrary hosts, including internal network services that are normally inaccessible from outside. This can lead to information disclosure, unauthorized access to internal resources, or further exploitation of internal services.

Because the attacker can inject malicious referrer domains and trigger server-side requests, it may also be possible to use this as a pivot point for additional attacks within the internal network.

Mitigation Strategies

Immediate mitigation steps include updating the Independent Analytics plugin to a version later than 2.14.9 where this vulnerability is fixed.

If an update is not immediately possible, consider disabling or restricting access to the /wp-json/iawp/search endpoint to prevent unauthenticated attackers from exploiting the SSRF.

Additionally, monitor and restrict outgoing HTTP requests from the server to prevent abuse of the favicon fetcher functionality.

Implement network-level controls such as firewall rules to block unauthorized outbound requests to internal or sensitive network ranges.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized server-side requests initiated by the Independent Analytics plugin, especially requests to internal or unexpected external domains triggered via the /wp-json/iawp/search endpoint.

Since the vulnerability involves attacker-controlled referrer_url values and cURL requests without SSRF protections, you can look for suspicious entries in your web server logs or database where referrer_url values are stored.

Commands to help detect exploitation attempts might include:

  • Using web server logs to search for requests to /wp-json/iawp/search with unusual or unexpected referrer_url parameters, e.g., `grep "/wp-json/iawp/search" /var/log/apache2/access.log`
  • Checking database entries for suspicious referrer_url values that point to internal or unexpected hosts.
  • Monitoring outgoing network connections from the server for unusual cURL requests to internal IP ranges or unexpected external domains.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart