CVE-2026-46698
Received Received - Intake
Server-Side Request Forgery in Fediverse Embeds

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-46698
EUVD
EUVD-2026-36270
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
stefanbohacek fediverse_embeds to 1.5.9 (exc)
stefanbohacek fediverse_embeds 1.5.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a Server-Side Request Forgery (SSRF) that allows attackers to make unauthorized server-side requests to internal or external URLs via the Fediverse Embeds WordPress plugin. While the impact is limited to the exposure of parsed Open Graph metadata and does not disclose full response content, it could potentially be exploited to access internal resources.

There is no explicit information in the provided context or resources about direct effects on compliance with standards such as GDPR or HIPAA. However, SSRF vulnerabilities can pose risks to data confidentiality and integrity, which are critical aspects of these regulations. If exploited, such vulnerabilities might lead to unauthorized access to sensitive data or internal systems, potentially resulting in non-compliance with data protection requirements.

The vulnerability was patched by adding URL safety validation to prevent unauthorized requests, which helps mitigate risks related to compliance.

Executive Summary

CVE-2026-46698 is a Server-Side Request Forgery (SSRF) vulnerability in the Fediverse Embeds WordPress plugin versions 1.5.7 and earlier.

The vulnerability arises from an unauthenticated AJAX action called wp_ajax_nopriv_ftf_get_site_info that accepts a user-supplied URL and fetches its content using the function file_get_html() after verifying a nonce.

However, the nonce was exposed on every public page containing a fediverse embed, allowing any visitor to reuse it and bypass authentication.

This allows an attacker to make the server request internal or external URLs, although only parsed Open Graph metadata is returned, which limits the impact compared to full response disclosure.

The issue was patched in version 1.5.9 by adding a URL validation check (is_safe_url) to ensure only safe URLs are processed.

Impact Analysis

This vulnerability allows attackers to make unauthorized server-side requests from the WordPress server to internal or external URLs.

While the plugin only returns parsed Open Graph metadata, this SSRF can be used to probe internal network resources or access restricted hosts, potentially exposing sensitive information or enabling further attacks.

Because the nonce used for verification is publicly accessible on pages with fediverse embeds, any visitor can exploit this without authentication.

The impact is rated medium with a CVSS score of 5.3, indicating a moderate security risk.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unusual AJAX requests to the endpoint wp_ajax_nopriv_ftf_get_site_info on WordPress sites using the Fediverse Embeds plugin version 1.5.7 or earlier.

Since the vulnerability involves server-side requests to attacker-supplied URLs, you can look for network traffic or logs showing requests to internal or unexpected external URLs initiated by the WordPress server.

  • Check web server access logs for requests to admin-ajax.php with the action parameter set to ftf_get_site_info.
  • Use command-line tools like grep to find such requests, for example: grep 'action=ftf_get_site_info' /var/log/apache2/access.log
  • Monitor outgoing HTTP requests from the server to detect unexpected calls to internal or external URLs, for example using tcpdump or Wireshark filtering for HTTP traffic.
  • Example tcpdump command: tcpdump -i eth0 -A 'tcp port 80 or tcp port 443'
Mitigation Strategies

The immediate and recommended mitigation is to update the Fediverse Embeds WordPress plugin to version 1.5.9 or later, where the vulnerability has been patched.

The patch includes validation functions that check the safety of URLs and hosts before processing, preventing SSRF attacks.

  • Update the plugin to version 1.5.9 or newer.
  • If updating immediately is not possible, consider restricting access to the AJAX endpoint wp_ajax_nopriv_ftf_get_site_info via firewall rules or web server configuration to trusted users only.
  • Monitor and block suspicious outgoing HTTP requests from the server that may be triggered by exploitation attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart