CVE-2026-10287

An attacker can remotely send a POST request to `index.php` with a crafted `url` parameter. This parameter is passed directly to `get_headers()` and `file_get_contents()` without sufficient validation, enabling Server-Side Request Forgery [CWE-918]. The application does not restrict requests to private, loopback, or link-local IP ranges. Additionally, `file_get_contents()` follows HTTP redirects by default, allowing an attacker-controlled URL to redirect the server-side fetch to an internal endpoint, bypassing naive blacklists [ref_id=1].

The vulnerability resides in the `fetchMetaTags()` function within the `index.php` file. Specifically, the `url` parameter is passed without adequate validation to the `get_headers()` function at line 8 and `file_get_contents()` at line 13, both of which are sinks for the SSRF vulnerability [ref_id=1].

The advisory recommends a multi-pronged approach to fix the vulnerability. This includes implementing a scheme allowlist for `http` and `https`, resolving hostnames and validating resolved IP addresses against private, loopback, and link-local ranges, and disabling HTTP redirect following by default. Additionally, setting request timeouts and maximum content lengths are suggested to limit abuse for port scanning and denial-of-service attacks [ref_id=1].

1. Deploy SEO Meta Tag Extractor 1.0 on a host with an internal service bound to its loopback interface. 2. Start the vulnerable application using `php -S 0.0.0.0:8080`. 3. From an external host, submit a POST request with the `url` parameter set to an internal address, e.g., `http://127.0.0.1:9999/`. 4. Observe that the HTTP response contains content fetched from the internal service, confirming the SSRF [ref_id=1].