HIGHCVE-2026-0807Published 2026-01-24Modified 2026-04-08CNA Wordfence

CVE-2026-0807: Frontis Blocks <= 1.1.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter

The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

wpmessiah / Frontis Blocks — Block Library for the Block Editor
≤ 1.1.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References

wordfence.com
plugins.trac.wordpress.org
plugins.trac.wordpress.org
plugins.trac.wordpress.org

Metrics