Plateforme
wordpress
Composant
performance-monitor
Corrigé dans
1.0.7
1.0.7
The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability. This flaw allows unauthenticated attackers to initiate web requests to arbitrary locations, including internal services, by exploiting insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. Successful exploitation could lead to Remote Code Execution (RCE) by chaining with vulnerable services such as Redis. This vulnerability affects versions of the plugin up to and including 1.0.6.
An attacker can leverage this SSRF vulnerability to perform reconnaissance within the internal network. By crafting malicious requests through the vulnerable endpoint, they can probe internal services and identify potential targets for further exploitation. The use of protocols like Gopher expands the attack surface, allowing attackers to bypass certain security restrictions. The most concerning impact arises from the potential for chaining this SSRF vulnerability with other services, such as Redis, to achieve Remote Code Execution. If Redis is exposed and vulnerable, an attacker could potentially gain full control of the WordPress server.
CVE-2026-1648 was publicly disclosed on 2026-03-20. While no public proof-of-concept (PoC) has been released, the SSRF nature of the vulnerability and the potential for chaining with services like Redis make it a high-priority concern. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and potential impact, active exploitation is possible.
WordPress sites utilizing the Performance Monitor plugin, particularly those with internal services like Redis exposed or accessible from the web, are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider may be delayed in receiving the fix, increasing their exposure window.
• wordpress / composer / npm:
grep -r 'wp-json/performance-monitor/v1/curl_data' /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/wp-json/performance-monitor/v1/curl_data• wordpress / composer / npm:
wp plugin list | grep 'Performance Monitor'• wordpress / composer / npm:
wp plugin status | grep 'Performance Monitor'disclosure
Statut de l'Exploit
EPSS
0.05% (percentile 16%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade the Performance Monitor plugin to a version that addresses this vulnerability. Unfortunately, a fixed version is not yet available. As a temporary workaround, restrict access to the '/wp-json/performance-monitor/v1/curl_data' endpoint using a web application firewall (WAF) or proxy server. Implement strict input validation on the 'url' parameter, ensuring that only allowed protocols and domains are permitted. Consider disabling the plugin entirely if immediate upgrade is not possible. Monitor WordPress logs for suspicious activity related to the plugin’s API endpoint.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-1648 is a Server-Side Request Forgery vulnerability in the Performance Monitor WordPress plugin, allowing attackers to make arbitrary web requests.
You are affected if you are using the Performance Monitor plugin in versions 1.0.6 or earlier. Upgrade as soon as a patch is available.
Upgrade the plugin to a patched version. Until a patch is released, use a WAF to restrict access to the vulnerable endpoint and validate input.
While no active exploitation has been confirmed, the vulnerability's nature and potential impact make it a likely target for attackers.
Check the Performance Monitor plugin's official website or WordPress plugin repository for updates and advisories.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.