CVE-2026-46697
Deferred Deferred - Pending Action

Server-Side Request Forgery in Fediverse Embeds WordPress Plugin

Vulnerability report for CVE-2026-46697, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. The plugin's source contained a comment block explicitly acknowledging that the request should be validated against allowed fediverse domains, but in 1.5.7 the validation only set a local $can_download_media flag that was never read. The full response body was echoed back to the caller, so this was a full-read SSRF / open proxy reachable by any anonymous visitor. This issue has been patched in version 1.5.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
stefanbohacek fediverse_embeds to 1.5.8 (exc)
stefanbohacek fediverse_embeds 1.5.8
stefanbohacek fediverse_embeds 1.5.9

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46697 is a high-severity vulnerability in the Fediverse Embeds WordPress plugin versions 1.5.7 and earlier. It involves an unauthenticated Server-Side Request Forgery (SSRF) and open proxy issue through the REST media-proxy endpoint.

The plugin registered an unauthenticated REST route (/ftf/media-proxy) that accepted a base64-encoded URL and forwarded it to wp_remote_get() without proper validation or an allowlist. This allowed attackers to send requests to internal or arbitrary systems and receive the full response body back.

Although the source code contained comments indicating that requests should be validated against allowed fediverse domains, the actual validation was ineffective, making the endpoint reachable by any anonymous visitor.

The issue was patched in versions 1.5.8 and 1.5.9 by adding URL and host validation functions that block private and reserved IP ranges and enforce domain allowlisting.

Compliance Impact

The vulnerability in Fediverse Embeds prior to version 1.5.8 allowed unauthenticated Server-Side Request Forgery (SSRF) and open proxy access, enabling attackers to make arbitrary requests to internal or external systems and receive full response bodies. This could potentially lead to unauthorized access to sensitive data or internal services.

Such unauthorized data access and potential data exfiltration could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

The issue was patched by adding strict URL and host validation to ensure only trusted Fediverse servers are proxied, mitigating the risk of unauthorized data exposure and helping maintain compliance with these standards.

Impact Analysis

This vulnerability can allow attackers to perform unauthorized internal network requests through the vulnerable WordPress plugin, effectively using the server as an open proxy.

Attackers can exploit this to access sensitive internal services or data that are not normally exposed externally.

Because the full response body is returned to the attacker, it can lead to data exfiltration from internal systems.

The vulnerability has a high CVSS score of 7.5, indicating significant risk due to its potential for unauthorized internal network access and data leakage.

Detection Guidance

This vulnerability can be detected by identifying if your WordPress site is running the Fediverse Embeds plugin version 1.5.7 or earlier, which registers an unauthenticated REST route `/ftf/media-proxy` that accepts base64-encoded URLs and forwards them without proper validation.

To detect exploitation attempts or presence of this vulnerability on your system, you can monitor HTTP requests to the `/ftf/media-proxy` endpoint, especially those containing base64-encoded URLs.

  • Use web server access logs to search for requests to `/ftf/media-proxy` endpoint, for example: `grep '/ftf/media-proxy' /var/log/apache2/access.log` or equivalent for your web server.
  • Look for suspicious base64-encoded URL parameters in requests, which may indicate attempts to exploit the SSRF vulnerability.
  • Use network monitoring tools or intrusion detection systems to flag outbound HTTP requests initiated by the plugin to unexpected internal or external IP addresses.

Since the vulnerability involves forwarding arbitrary URLs without validation, commands or scripts that decode base64 parameters and verify if they point to internal or sensitive network resources can help detect exploitation.

Mitigation Strategies

The immediate and most effective mitigation is to update the Fediverse Embeds WordPress plugin to version 1.5.8 or later, where the vulnerability has been patched.

The patch introduces validation functions (`is_safe_host` and `is_safe_url`) that enforce checks on URLs and hosts, blocking requests to private or reserved IP ranges and only allowing media from trusted Fediverse servers.

  • Update the plugin to version 1.5.8 or newer as soon as possible.
  • If immediate update is not possible, consider disabling or restricting access to the `/ftf/media-proxy` REST endpoint to authenticated users only or block it via web server rules.
  • Monitor and block suspicious requests to the media-proxy endpoint that contain arbitrary or unexpected URLs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart