CVE-2026-46698
Description
Fediverse Embeds WordPress plugin prior to 1.5.9 had an SSRF vulnerability via a public-nonce AJAX endpoint, allowing attackers to probe internal networks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fediverse Embeds WordPress plugin prior to 1.5.9 had an SSRF vulnerability via a public-nonce AJAX endpoint, allowing attackers to probe internal networks.
Vulnerability
The Fediverse Embeds plugin for WordPress (versions prior to 1.5.9) registers an unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info in includes/Site_Info.php. This action accepts a user-supplied URL and calls file_get_html($site_url) to fetch and parse Open Graph metadata. Although the endpoint checks a nonce (ftf-fediverse-embeds-nonce), the same nonce is enqueued on every public page containing a fediverse embed (via includes/Enqueue_Assets.php and includes/Helpers.php), making it accessible to any visitor. Thus the nonce does not provide authentication; an attacker can obtain it from a public post and reuse it. [1][2]
Exploitation
An attacker needs only to visit a public WordPress post that includes a fediverse embed to extract the nonce from the page source. They can then send a crafted POST request to /wp-admin/admin-ajax.php with action=ftf_get_site_info, a target URL (e.g., http://internal-listener:9090/), and the stolen nonce. The server will fetch the URL and return parsed metadata, effectively performing a server-side request forgery (SSRF). [2]
Impact
Successful exploitation allows an attacker to make the WordPress server issue HTTP requests to arbitrary internal or external hosts. The response is limited to parsed Open Graph metadata, but this can still be used to probe internal services, scan ports, or access cloud metadata endpoints (e.g., AWS EC2 metadata). The CVSS score is 5.3 (Medium) due to the limited data returned. [2]
Mitigation
The vulnerability is patched in version 1.5.9. The fix adds an is_safe_url() check in Site_Info.php that validates the host is not a private or reserved IP address and that the scheme is HTTP or HTTPS. Users should update to version 1.5.9 or later. No workaround is available for earlier versions. [1][2]
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.5.9
Patches
193821405790cFixed SSRF vulnerability in site info endpoint.
3 files changed · +56 −51
includes/Helpers.php+49 −0 modified@@ -109,6 +109,55 @@ public static function format_bytes($size, $precision = 2) return $size_formatted; } + public static function is_safe_host(string $host): bool + { + $host = trim($host, '[]'); + + if (filter_var($host, FILTER_VALIDATE_IP)) { + return (bool) filter_var( + $host, + FILTER_VALIDATE_IP, + FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE + ); + } + + $a_records = dns_get_record($host, DNS_A) ?: []; + $aaaa_records = dns_get_record($host, DNS_AAAA) ?: []; + $all_records = array_merge($a_records, $aaaa_records); + + if (empty($all_records)) { + return false; + } + + foreach ($all_records as $record) { + $ip = $record['ip'] ?? $record['ipv6'] ?? null; + if ($ip === null) { + return false; + } + if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { + return false; + } + } + + return true; + } + + public static function is_safe_url(string $url): bool + { + $parsed = parse_url($url); + + if (!in_array($parsed['scheme'] ?? '', ['http', 'https'], true)) { + return false; + } + + $host = $parsed['host'] ?? ''; + if ($host === '') { + return false; + } + + return self::is_safe_host($host); + } + public static function generate_random_string($length = 10) { $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $characters_length = strlen($characters);
includes/Media_Proxy.php+2 −51 modified@@ -29,55 +29,6 @@ public function register_media_proxy_endpoint(/* $_REQUEST */) )); } - private function is_safe_host(string $host): bool - { - $host = trim($host, "[]"); - - if (filter_var($host, FILTER_VALIDATE_IP)) { - return (bool) filter_var( - $host, - FILTER_VALIDATE_IP, - FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE - ); - } - - $a_records = dns_get_record($host, DNS_A) ?: []; - $aaaa_records = dns_get_record($host, DNS_AAAA) ?: []; - $all_records = array_merge($a_records, $aaaa_records); - - if (empty($all_records)) { - return false; - } - - foreach ($all_records as $record) { - $ip = $record["ip"] ?? $record["ipv6"] ?? null; - if ($ip === null) { - return false; - } - if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { - return false; - } - } - - return true; - } - - private function is_safe_url(string $url): bool - { - $parsed = parse_url($url); - - if (!in_array($parsed["scheme"] ?? "", ["http", "https"], true)) { - return false; - } - - $host = $parsed["host"] ?? ""; - if ($host === "") { - return false; - } - - return $this->is_safe_host($host); - } - public function proxy_media(\WP_REST_Request $request) { $url = $request["url"]; @@ -104,7 +55,7 @@ public function proxy_media(\WP_REST_Request $request) } } - if (empty($url) || !$this->is_safe_url($url)) { + if (empty($url) || !Helpers::is_safe_url($url)) { status_header(403); exit(); } @@ -142,7 +93,7 @@ public function proxy_media(\WP_REST_Request $request) "s3.", ), "", $domain); - if ($this->is_safe_host($stripped_domain)) { + if (Helpers::is_safe_host($stripped_domain)) { $remote_response = wp_remote_get("https://$stripped_domain/.well-known/nodeinfo", array( "user-agent" => "FTF: Fediverse Embeds; WordPress/" . $wp_version . "; " . get_bloginfo("url"), ));
includes/Site_Info.php+5 −0 modified@@ -30,6 +30,11 @@ function get_site_info() $description = ''; if ($site_data === false) { + if (!Helpers::is_safe_url($site_url)) { + wp_send_json_error(); + return; + } + $site_html = file_get_html($site_url); if ($site_html) {
Vulnerability mechanics
Root cause
"Missing server-side URL validation in the unauthenticated AJAX action allows an attacker to make the server fetch arbitrary internal URLs."
Attack vector
An unauthenticated attacker visits a public post that contains a fediverse embed and extracts the public nonce from the page source. The attacker then sends a POST request to `wp-admin/admin-ajax.php` with `action=ftf_get_site_info`, the attacker-controlled URL (e.g. `http://internal-listener:9090/`), and the stolen nonce. The server fetches the supplied URL via `file_get_html()` and returns parsed Open Graph metadata, enabling internal network reconnaissance [ref_id=2].
Affected code
The unauthenticated AJAX action `wp_ajax_nopriv_ftf_get_site_info` in `includes/Site_Info.php` called `file_get_html($site_url)` on an attacker-supplied URL without validating the host or IP. The same nonce (`ftf-fediverse-embeds-nonce`) was enqueued on every public page containing a fediverse embed (`includes/Enqueue_Assets.php` lines 41-46, `includes/Helpers.php` lines 64-83), so any visitor could extract it and reuse it.
What the fix does
The patch adds a call to `Helpers::is_safe_url($site_url)` at the top of `Site_Info.php::get_site_info()` before `file_get_html()` is invoked [patch_id=5619879]. This helper function validates that the scheme is `http` or `https`, parses the host, resolves DNS records, and rejects any IP that falls within private or reserved ranges. The same `is_safe_url` and `is_safe_host` methods were also moved from `Media_Proxy.php` into the shared `Helpers` class so both endpoints use the same allowlist logic.
Preconditions
- networkThe attacker must be able to visit a public WordPress post that contains a fediverse embed marker.
- inputThe attacker must extract the public nonce from the page source of that post.
- configThe target WordPress site must have the Fediverse Embeds plugin installed and active (version <= 1.5.7).
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.