HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46697Published Modified CNA GitHub_M

CVE-2026-46697: Fediverse Embeds: Unauthenticated SSRF / open proxy via REST media-proxy endpoint

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. The plugin's source contained a comment block explicitly acknowledging that the request should be validated against allowed fediverse domains, but in 1.5.7 the validation only set a local $can_download_media flag that was never read. The full response body was echoed back to the caller, so this was a full-read SSRF / open proxy reachable by any anonymous visitor. This issue has been patched in version 1.5.8.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a server-side request forgery (SSRF) vulnerability in the Fediverse Embeds WordPress plugin, versions prior to 1.5.8. The flaw is reachable over the network by any unauthenticated visitor: the plugin exposes a REST endpoint that accepts a base64-encoded URL and forwards it through the server without any effective allowlist validation, then echoes the full response back to the caller. Successful exploitation lets an attacker use the WordPress server as an open proxy to read internal network resources, cloud metadata endpoints, or other services unreachable from the public internet. The upstream fix shipped in version 1.5.8; a patched-image rebuild at 1.5.8 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46697 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle this plugin.

Available
Triage

HarborGuard scores this finding at CVSS 7.5 HIGH and weights it against each environment's configured compliance policy before routing the alert to the appropriate team inbox within the customer organization.

Available
Patch

Because no fix version is currently published in the upstream advisory record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 1.5.8 or a later fix is confirmed upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable REST endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress site's public or internal address.

  • AuthenticationNot required

    The endpoint is registered with permission_callback set to __return_true, meaning no account or session of any privilege level is required.

  • Victim interactionNot required

    The attack is fully server-side; no user needs to click a link, open a page, or take any action for exploitation to succeed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker only needs to supply a base64-encoded target URL, with no race conditions or environmental dependencies involved.

Blast Radius

  • An attacker can read the full response body of any URL the WordPress server can reach, including internal-network services not exposed to the public internet.
  • Cloud instance metadata endpoints (such as the AWS EC2 metadata service at 169.254.169.254) are reachable, potentially exposing IAM credentials or instance configuration.
  • Internal administrative interfaces, databases with HTTP APIs, or other backend services behind a firewall can be enumerated and read through the proxy.
  • Confidentiality of any data served by reachable internal HTTP endpoints is fully compromised; integrity and availability of the WordPress host itself are not directly affected by this vector.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46697 is active across connected registries and pipelines, with findings scored at CVSS 7.5 HIGH and routed per each organization's compliance policy. Because no upstream fix version has been confirmed at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once version 1.5.8 is validated in the upstream feed. For customers who opt into auto-remediation, that rebuild will be accompanied by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls available through HarborGuard network policy tooling include isolating affected WordPress hosts behind an egress filter that blocks requests to RFC-1918 address ranges and cloud metadata IP addresses, and gating deployment of images containing this plugin version until the upstream patch is confirmed.

See how HarborGuard automates this
Affected packages
  • stefanbohacek / fediverse-embeds-wordpress-plugin
    < 1.5.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References