CVE-2026-5737
Description
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SSRF in Independent Analytics ≤2.14.9 via public tracking route and cURL favicon fetcher with static signature.
Vulnerability
The Independent Analytics plugin for WordPress versions up to and including 2.14.9 contains a Server-Side Request Forgery (SSRF) vulnerability in the /wp-json/iawp/search public tracking route. The route accepts attacker-controlled referrer_url values when the signature matches. Signature validation is insufficient because the signing salt is static per site and the signature is embedded in publicly accessible JavaScript, allowing attackers to extract valid signatures. The stored referrer domains are later fetched by a scheduled favicon downloader in IAWP/Favicon/FaviconDownloader.php that uses raw cURL functions (curl_init, CURLOPT_URL) without any SSRF protection — it does not block localhost, private IP ranges, or use WordPress's wp_safe_remote_* functions [1][2][3][4].
Exploitation
An unauthenticated attacker first extracts a valid signature from the publicly available JavaScript file, then sends a crafted POST request to /wp-json/iawp/search with a malicious referrer_url (e.g., http://169.254.169.254/latest/meta-data/ or an internal service). The signature match writes the attacker-controlled domain into the database. When the favicon cron job triggers (or is forced), the plugin calls FaviconDownloader::download() which calls attempt_download() and uses curl_init with the attacker's URL, following redirects up to 10 times [3][4]. No network restrictions are enforced.
Impact
Successful exploitation allows an unauthenticated attacker to make arbitrary HTTP requests from the WordPress server to any host, including internal services (e.g., cloud metadata endpoints, internal APIs, databases). This can lead to information disclosure of sensitive data, such as cloud provider credentials or internal network reconnaissance [1][2]. The favicon fetcher runs with the web server's privileges and may be used to probe internal infrastructure.
Mitigation
A fix was released in version 2.14.10, which replaces the raw cURL fetch with WordPress's wp_safe_remote_get() and adds input validation on referrer_url [4]. Users must update to version 2.14.10 or later immediately. As a workaround, site administrators can disable the favicon downloader by removing the cron job or adding a web application firewall (WAF) rule to block requests to /wp-json/iawp/search with suspicious referrer_url values.
- https://plugins.trac.wordpress.org/browser/independent-analytics/trunk/IAWP/Views/View.php#L252
- https://plugins.trac.wordpress.org/browser/independent-analytics/tags/2.14.4/IAWP/Views/View.php#L252
- https://plugins.trac.wordpress.org/browser/independent-analytics/tags/2.14.4/IAWP/Favicon/FaviconDownloader.php#L57
- https://plugins.trac.wordpress.org/browser/independent-analytics/trunk/IAWP/Favicon/FaviconDownloader.php#L57
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.14.9+ 1 more
- (no CPE)range: <=2.14.9
- (no CPE)range: <=2.14.9
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- plugins.trac.wordpress.org/browser/independent-analytics/tags/2.14.4/IAWP/Favicon/FaviconDownloader.phpnvd
- plugins.trac.wordpress.org/browser/independent-analytics/tags/2.14.4/IAWP/FetchFaviconsJob.phpnvd
- plugins.trac.wordpress.org/browser/independent-analytics/tags/2.14.4/IAWP/REST_API.phpnvd
- plugins.trac.wordpress.org/browser/independent-analytics/tags/2.14.4/IAWP/Views/View.phpnvd
- plugins.trac.wordpress.org/browser/independent-analytics/trunk/IAWP/Favicon/FaviconDownloader.phpnvd
- plugins.trac.wordpress.org/browser/independent-analytics/trunk/IAWP/FetchFaviconsJob.phpnvd
- plugins.trac.wordpress.org/browser/independent-analytics/trunk/IAWP/REST_API.phpnvd
- plugins.trac.wordpress.org/browser/independent-analytics/trunk/IAWP/Views/View.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/06ecc40c-6a63-4354-9f49-1925896622f5nvd
News mentions
0No linked articles in our index yet.