CVE-2026-46697
Received Received - Intake
Server-Side Request Forgery in Fediverse Embeds WordPress Plugin

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. The plugin's source contained a comment block explicitly acknowledging that the request should be validated against allowed fediverse domains, but in 1.5.7 the validation only set a local $can_download_media flag that was never read. The full response body was echoed back to the caller, so this was a full-read SSRF / open proxy reachable by any anonymous visitor. This issue has been patched in version 1.5.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-46697
EUVD
EUVD-2026-36271
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
stefanbohacek fediverse_embeds to 1.5.8 (exc)
stefanbohacek fediverse_embeds 1.5.8
stefanbohacek fediverse_embeds 1.5.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46697 is a high-severity vulnerability in the Fediverse Embeds WordPress plugin versions 1.5.7 and earlier. It involves an unauthenticated Server-Side Request Forgery (SSRF) and open proxy issue through the REST media-proxy endpoint.

The plugin registered an unauthenticated REST route (/ftf/media-proxy) that accepted a base64-encoded URL and forwarded it to wp_remote_get() without proper validation or an allowlist. This allowed attackers to send requests to internal or arbitrary systems and receive the full response body back.

Although the source code contained comments indicating that requests should be validated against allowed fediverse domains, the actual validation was ineffective, making the endpoint reachable by any anonymous visitor.

The issue was patched in versions 1.5.8 and 1.5.9 by adding URL and host validation functions that block private and reserved IP ranges and enforce domain allowlisting.

Impact Analysis

This vulnerability can allow attackers to perform unauthorized internal network requests through the vulnerable WordPress plugin, effectively using the server as an open proxy.

Attackers can exploit this to access sensitive internal services or data that are not normally exposed externally.

Because the full response body is returned to the attacker, it can lead to data exfiltration from internal systems.

The vulnerability has a high CVSS score of 7.5, indicating significant risk due to its potential for unauthorized internal network access and data leakage.

Detection Guidance

This vulnerability can be detected by identifying if your WordPress site is running the Fediverse Embeds plugin version 1.5.7 or earlier, which registers an unauthenticated REST route `/ftf/media-proxy` that accepts base64-encoded URLs and forwards them without proper validation.

To detect exploitation attempts or presence of this vulnerability on your system, you can monitor HTTP requests to the `/ftf/media-proxy` endpoint, especially those containing base64-encoded URLs.

  • Use web server access logs to search for requests to `/ftf/media-proxy` endpoint, for example: `grep '/ftf/media-proxy' /var/log/apache2/access.log` or equivalent for your web server.
  • Look for suspicious base64-encoded URL parameters in requests, which may indicate attempts to exploit the SSRF vulnerability.
  • Use network monitoring tools or intrusion detection systems to flag outbound HTTP requests initiated by the plugin to unexpected internal or external IP addresses.

Since the vulnerability involves forwarding arbitrary URLs without validation, commands or scripts that decode base64 parameters and verify if they point to internal or sensitive network resources can help detect exploitation.

Mitigation Strategies

The immediate and most effective mitigation is to update the Fediverse Embeds WordPress plugin to version 1.5.8 or later, where the vulnerability has been patched.

The patch introduces validation functions (`is_safe_host` and `is_safe_url`) that enforce checks on URLs and hosts, blocking requests to private or reserved IP ranges and only allowing media from trusted Fediverse servers.

  • Update the plugin to version 1.5.8 or newer as soon as possible.
  • If immediate update is not possible, consider disabling or restricting access to the `/ftf/media-proxy` REST endpoint to authenticated users only or block it via web server rules.
  • Monitor and block suspicious requests to the media-proxy endpoint that contain arbitrary or unexpected URLs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart