CVE-2026-56026
Deferred Deferred - Pending Action
Subscriber Server Side Request Forgery in utm.codes <= 1.9.0

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-56026
EUVD
EUVD-2026-39689
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack utm.codes to 1.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56026 is a Server Side Request Forgery (SSRF) vulnerability found in the WordPress utm.codes plugin versions 1.9.0 and earlier.

This flaw allows an attacker to manipulate the affected website into making requests to arbitrary domains, which the attacker controls or chooses.

Such manipulation can lead to exposure of sensitive information from other services running on the same system.

Impact Analysis

The vulnerability can be exploited to make the vulnerable website send requests to arbitrary domains, potentially exposing sensitive internal data or services.

This can lead to unauthorized access to information that should be protected, increasing the risk of data leaks.

Because the vulnerability has a CVSS score of 6.4, it represents a moderate risk and could be targeted in widespread attacks affecting many websites.

Detection Guidance

The vulnerability allows attackers to manipulate the website into making requests to arbitrary domains, which may be detected by monitoring unusual outbound HTTP requests from the affected system.

While specific commands are not provided, network administrators can use tools like curl or wget to test if the utm.codes plugin version 1.9.0 or earlier is vulnerable by attempting to trigger SSRF behavior.

Additionally, monitoring web server logs for unexpected or suspicious requests that cause the server to make outbound connections to unusual domains can help detect exploitation attempts.

Mitigation Strategies

The immediate recommended step is to update the utm.codes WordPress plugin to version 1.9.1 or later, which contains the patch for this SSRF vulnerability.

If updating immediately is not possible, applying the mitigation rule provided by Patchstack to block attack attempts can help reduce risk until the update is applied.

Users are also advised to seek assistance from their hosting provider or developer to ensure proper mitigation and patching.

Compliance Impact

The vulnerability allows attackers to manipulate the website into making requests to arbitrary domains, potentially exposing sensitive information from other services running on the system.

Such exposure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Therefore, if exploited, this SSRF vulnerability could compromise the confidentiality of sensitive data, impacting compliance with these common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56026. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart