Is WordPress affected by CVE-2026-3478?

Organizations running the Content Syndication Toolkit WordPress plugin (versions 1.3 and below) are exposed to unauthenticated attacks that could allow threat actors to probe internal networks, access sensitive services, and gather intelligence for further attacks without requiring credentials.

CVE-2026-3478

EUVD-2026-14149 HIGH

2026-03-21 Wordfence

GHSA-97j6-f74w-c455

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 21, 2026 - 04:00 vuln.today

EUVD ID Assigned

Mar 21, 2026 - 04:00 euvd

EUVD-2026-14149

CVE Published

Mar 21, 2026 - 03:27 nvd

HIGH 7.2

Description

The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux_p AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint (wp_ajax_nopriv_redux_p) that is accessible to unauthenticated users. The proxy() method in the Redux_P class takes a URL directly from $_GET['url'] without any validation (the regex is set to /.*/ which matches all URLs) and passes it to wp_remote_request(), which does not have built-in SSRF protection like wp_safe_remote_request(). There is no authentication check, no nonce verification, and no URL restriction. The response from the requested URL is then returned to the attacker, making this a full-read SSRF. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal network ports, or interact with cloud metadata endpoints.

Analysis

The Content Syndication Toolkit plugin for WordPress contains an unauthenticated Server-Side Request Forgery vulnerability that allows attackers to make arbitrary HTTP requests from the WordPress server. All versions up to and including 1.3 are affected through a bundled ReduxFramework library that exposes an unprotected AJAX proxy endpoint. …

Remediation

Within 24 hours: Identify all WordPress instances running the Content Syndication Toolkit plugin and document affected systems; immediately disable the plugin if business operations permit. Within 7 days: Implement Web Application Firewall rules to block AJAX proxy requests to the vulnerable endpoint; review server logs for suspicious activity patterns consistent with SSRF exploitation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

CVE-2026-3478 vulnerability details – vuln.today

Back

CVE-2026-3478

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-3478

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code