Platform
wordpress
Component
content-syndication-toolkit
Fixed in
1.3.1
CVE-2026-3478 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Content Syndication Toolkit WordPress plugin. This flaw allows unauthenticated attackers to trigger arbitrary HTTP requests through the redux_p AJAX action, potentially leading to unauthorized access to internal resources. The vulnerability impacts versions 0.0 through 1.3 of the plugin and can be mitigated by upgrading to a patched version or implementing appropriate security controls.
The SSRF vulnerability in Content Syndication Toolkit allows an attacker to craft malicious requests that originate from the WordPress server. This can be exploited to access internal services that are not directly exposed to the internet, such as internal databases, administrative panels, or other sensitive resources. An attacker could potentially read sensitive data, modify configurations, or even gain a foothold within the internal network. The lack of input validation on the URL parameter in the redux_p AJAX action makes this exploitation straightforward, as the regex /.*/ allows any URL to be passed to wpremoterequest() without sanitization. This bypasses WordPress's built-in SSRF protections.
CVE-2026-3478 was publicly disclosed on 2026-03-21. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation and the plugin's popularity suggest a potential for active exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The SSRF nature of the vulnerability aligns with common attack patterns, making it a potential target for automated scanning and exploitation tools.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3478 is to upgrade the Content Syndication Toolkit plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible, implement a Web Application Firewall (WAF) rule to block requests to the wpajaxnoprivreduxp endpoint or filter the url parameter to prevent SSRF attacks. Additionally, restrict network access to the WordPress server to only allow necessary outbound connections. Consider using a WordPress security plugin with SSRF protection capabilities. After upgrade, verify the fix by attempting to access an internal resource via the redux_p AJAX action and confirming that the request is blocked or properly handled.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3478 is a Server-Side Request Forgery vulnerability in the Content Syndication Toolkit WordPress plugin, allowing attackers to make arbitrary HTTP requests.
If you are using the Content Syndication Toolkit plugin in versions 0.0 through 1.3, you are potentially affected by this vulnerability.
Upgrade the Content Syndication Toolkit plugin to a patched version. If upgrading is not possible, implement a WAF rule to block malicious requests.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for active attacks.
Refer to the plugin developer's website or the WordPress plugin directory for official advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.