Plattform
wordpress
Komponente
frontis-blocks
Behoben in
1.1.7
CVE-2026-0807 is a Server-Side Request Forgery (SSRF) vulnerability discovered in the Frontis Blocks plugin, a block library for the WordPress editor. This vulnerability allows unauthenticated attackers to initiate web requests to arbitrary locations originating from the WordPress application. The vulnerability affects versions 0.0.0 through 1.1.6 of the plugin, and a fix is available in version 1.1.7.
The SSRF vulnerability in Frontis Blocks allows an attacker to potentially access internal resources that are not directly exposed to the internet. This could include sensitive data stored on the server, access to internal APIs, or even the ability to scan the internal network for other vulnerable systems. An attacker could leverage this to exfiltrate data, perform reconnaissance, or escalate their attack. The /template-proxy/ and /proxy-image/ endpoints are the primary attack vectors. While the plugin itself doesn't directly handle sensitive data, the ability to make arbitrary requests opens up a broad range of potential impacts depending on the server's configuration and internal network topology.
CVE-2026-0807 was publicly disclosed on 2026-01-24. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability’s relatively straightforward nature suggests that it could become a target for opportunistic exploitation.
WordPress websites using the Frontis Blocks plugin, particularly those with limited network segmentation or exposed internal services, are at risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'template_proxy' /var/www/html/wp-content/plugins/frontis-blocks/• generic web:
curl -I https://your-wordpress-site.com/template-proxy/ | grep -i server• wordpress / composer / npm:
wp plugin list --status=active | grep frontis-blocksdisclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-0807 is to upgrade the Frontis Blocks plugin to version 1.1.7 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /template-proxy/ and /proxy-image/ endpoints. Additionally, restrict network access from the WordPress server to only necessary internal resources. Monitor WordPress access logs for unusual outbound requests originating from these endpoints. There are no specific rollback steps beyond reverting to a previous version of the plugin prior to the vulnerable release.
Aktualisieren Sie auf Version 1.1.7 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0807 is a Server-Side Request Forgery vulnerability affecting versions 0.0.0–1.1.6 of the Frontis Blocks WordPress plugin, allowing attackers to make arbitrary web requests.
If you are using Frontis Blocks plugin versions 0.0.0 through 1.1.6 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the Frontis Blocks plugin to version 1.1.7 or later to resolve the SSRF vulnerability. Consider WAF rules as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the Frontis Blocks official website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.