Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis.
AnalysisAI
The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests to internal services using dangerous protocols including Gopher. Versions up to and including 1.0.6 are affected. This vulnerability can be chained with services like Redis to achieve Remote Code Execution, making it a critical security concern despite the 7.2 CVSS score.
Technical ContextAI
This vulnerability affects the Qrolic Performance Monitor WordPress plugin (cpe:2.3:a:qrolic:performance_monitor) and is classified as CWE-918 (Server-Side Request Forgery). The flaw exists in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint where insufficient validation of the 'url' parameter in class-rest-callback.php line 168 and class-curl.php line 50 allows attackers to manipulate the server into making requests on their behalf. The vulnerability is particularly dangerous because it supports the Gopher protocol, which can be used to interact with Redis and other internal services that lack authentication, enabling protocol smuggling attacks. The affected code makes outbound HTTP requests without properly restricting the destination or protocols, allowing access to internal network resources and potentially sensitive metadata endpoints.
RemediationAI
Immediately update the Performance Monitor plugin to a version newer than 1.0.6 that addresses this SSRF vulnerability, checking the WordPress plugin repository or vendor communications for the patched release. Until patching is possible, disable the Performance Monitor plugin entirely or implement web application firewall rules to block unauthenticated access to the '/wp-json/performance-monitor/v1/curl_data' endpoint. Network-level mitigations should include restricting outbound connections from the WordPress server to prevent access to internal services, particularly Redis and other unauthenticated internal resources. Consider implementing allowlist-based URL validation if the plugin functionality is business-critical and cannot be immediately disabled. Review server logs for suspicious requests to the vulnerable endpoint and audit internal services for any unauthorized access attempts. Consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f42f17-bce2-421e-9031-bfa0f8c26b2a?source=cve for additional detection and mitigation guidance.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14167
GHSA-4vr9-8jj4-gfwv