Platform
wordpress
Component
webmention
Fixed in
5.6.3
CVE-2026-0688 describes a Server-Side Request Forgery (SSRF) vulnerability affecting the Webmention plugin for WordPress. This flaw allows authenticated attackers with Subscriber-level access or higher to make arbitrary web requests originating from the web application, potentially querying or modifying information from internal services. The vulnerability affects Webmention plugin versions 0 through 5.6.2 and is fixed in version 5.7.0.
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to and including 5.6.2 via the 'Tools::read' function. This flaw allows authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services, potentially compromising the security of the WordPress installation. The CVSS score is 6.4, indicating a moderate risk. Updating to version 5.7.0 is crucial to mitigate this vulnerability.
An attacker with Subscriber or higher access on a WordPress site using the vulnerable Webmention plugin can exploit this vulnerability. The attacker can send specially crafted web requests through the plugin, allowing the WordPress server to make requests to other servers on the attacker’s behalf. This can enable access to internal resources, reading confidential data, or even executing commands on other systems. Authentication is required, but the relatively low access level of 'Subscriber' expands the attack surface.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to immediately update the Webmention plugin to version 5.7.0 or higher. This version includes a fix for the SSRF vulnerability. If an immediate update is not possible, consider implementing additional security measures, such as restricting network access from the WordPress server and monitoring network traffic for suspicious activity. Additionally, review the plugin’s configuration to limit allowed Webmention sources, if possible. Failure to update leaves your website vulnerable to attack.
Update to version 5.7.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to manipulate a server to make requests to resources the attacker couldn’t directly access.
If you are using a version of Webmention older than 5.7.0, your site is vulnerable. Check the plugin version in your WordPress admin dashboard.
Implement additional security measures such as restricting network access and monitoring traffic. Consider limiting allowed Webmention sources.
Vulnerability scanners can detect SSRF. You can also perform manual testing, although this requires technical expertise.
Updating to version 5.7.0 or higher fixes the known SSRF vulnerability. However, it’s always recommended to keep all plugins and the WordPress core updated to protect against other potential vulnerabilities.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.