Skip to main content

Advanced Import CVE-2026-4328

| EUVDEUVD-2026-37984 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-19 Wordfence GHSA-qvcr-v37j-859c
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

PR:L reflects mandatory Author-level authentication; S:C applies because server-side requests escape the WordPress application boundary into internal infrastructure.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 06:36 vuln.today
CVE Published
Jun 19, 2026 - 04:31 nvd
MEDIUM 6.4

DescriptionCVE.org

The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The 'demo_file' parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when 'demo_file_type' is set to 'url'. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints.

AnalysisAI

Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Author-level WordPress credentials
Delivery
Send POST to admin-ajax.php with demo_file_type=url
Exploit
Supply internal target URL in demo_file parameter
Execution
WordPress server issues wp_remote_get() to internal/metadata endpoint
Persist
Capture internal service response from AJAX reply
Impact
Extract credentials or enumerate internal network

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated WordPress session with the upload_files capability - this corresponds to Author role or higher (Author, Editor, Administrator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a moderate-severity SSRF with a scope change - the S:C metric is justified because the server's outbound request capability crosses the application trust boundary into internal network infrastructure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding an Author-level WordPress account - obtained through registration, credential stuffing, or account takeover - sends a crafted POST request to admin-ajax.php invoking the demo_download_and_unzip handler with demo_file_type set to 'url' and demo_file set to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The WordPress server fetches this URL from its own network context, returning cloud instance IAM role credentials to the attacker's session response. …
Remediation The upstream fix has been committed to the WordPress plugin SVN repository as changeset 3566433; however, no specific released patched version number is independently confirmed from the available reference data - site operators should verify whether a version newer than 1.4.6 is available in the WordPress plugin directory and upgrade immediately upon confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4328 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy