Platform
wordpress
Component
webmention
Fixed in
5.6.3
CVE-2026-0686 describes a Server-Side Request Forgery (SSRF) vulnerability found in the Webmention plugin for WordPress. This flaw allows unauthenticated attackers to make web requests to arbitrary locations, potentially querying or modifying information from internal services. The vulnerability affects Webmention plugin versions 0 up to and including 5.6.2. A fix is available in version 5.7.0.
The Webmention plugin for WordPress is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 5.6.2. This vulnerability resides in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. An unauthenticated attacker can exploit this flaw to make web requests to arbitrary locations originating from the web application. This could allow them to query and potentially modify information from internal services, potentially compromising the underlying infrastructure's security. The CVSS severity score is 7.2, indicating a high risk. Updating the plugin is crucial to mitigate this risk.
An attacker could exploit this vulnerability by sending malicious web requests through the Webmention plugin. These requests could target internal services that are normally not accessible from the outside. For example, they might attempt to access databases, administration servers, or even execute commands on the web server. The lack of authentication in the vulnerable function facilitates exploitation, as no credentials are required to make the requests.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to update the Webmention plugin to version 5.7.0 or later. This version includes a fix for the SSRF vulnerability. If immediate updating is not possible, consider implementing additional security measures, such as restricting access to internal services and monitoring network traffic for suspicious activity. Strengthening firewall policies can also help mitigate the risk. Updating is the most effective way to eliminate the vulnerability.
Update to version 5.7.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to make a server perform requests to arbitrary locations.
The update fixes the SSRF vulnerability and protects your website from potential attacks.
Implement additional security measures, such as restricting access to internal services and monitoring network traffic.
If you are using a version of the Webmention plugin prior to 5.7.0, you are vulnerable.
It's important to stay up-to-date with the latest security updates for the Webmention plugin and other WordPress plugins.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.