CVE-2026-4328
Received Received - Intake
Server-Side Request Forgery in Advanced Import WordPress Plugin

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Wordfence

Description
The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The 'demo_file' parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when 'demo_file_type' is set to 'url'. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-4328
EUVD
EUVD-2026-37984
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
advanced_import advanced_import to 1.4.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Advanced Import plugin for WordPress has a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 1.4.6. This occurs because the plugin uses the wp_remote_get() function to fetch a URL supplied by the user without properly validating whether the URL points to internal or private network resources. Specifically, the 'demo_file' parameter from a POST request is sanitized only for XSS issues and then passed directly to wp_remote_get() when 'demo_file_type' is set to 'url'.

While the plugin uses a safer function (wp_safe_remote_get()) elsewhere, it fails to do so in this critical AJAX handler, allowing authenticated users with Author-level access or higher to make arbitrary web requests from the web application.

This vulnerability enables attackers to query and view data from internal services, including sensitive cloud instance metadata endpoints.

Impact Analysis

This vulnerability can allow an authenticated attacker with Author-level access or higher to make unauthorized web requests from the vulnerable WordPress site to arbitrary locations, including internal network resources.

As a result, attackers could access sensitive internal data or services that are not normally exposed externally, such as cloud instance metadata endpoints, potentially leading to information disclosure.

The CVSS base score of 6.4 indicates a medium severity impact, with potential confidentiality and integrity loss but no direct availability impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart