Critical severity9.6NVD Advisory· Published Oct 28, 2022· Updated Apr 8, 2026

CVE-2022-3708

Description

The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affected products

Google/Web Stories
cpe:2.3:a:google:web_stories:*:*:*:*:*:wordpress:*:*
Range: <1.25.0

Patches

6756bda68963

https://github.com/googleforcreators/web-stories-wpvia osv

3ad2099f9515

https://github.com/googleforcreators/web-stories-wpvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/GoogleForCreators/web-stories-wp/commit/3ad2099f95155d658624ffac2e34ce0da739e34bnvdPatchThird Party Advisory
github.com/GoogleForCreators/web-stories-wp/compare/v1.24.0...v1.25.0nvdPatchRelease NotesThird Party Advisory
wordpress.org/plugins/web-storiesnvdProductRelease NotesThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/7817a840-325a-4709-8374-84bb32d98d0envdThird Party Advisory
www.wordfence.com/vulnerability-advisories-continued/nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.624
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000