What is the CVSS score of CVE-2026-46697?

CVE-2026-46697 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Fediverse Embeds are affected by CVE-2026-46697?

The Fediverse Embeds WordPress plugin before version 1.5.8 contains an unauthenticated server-side request forgery vulnerability that allows any website visitor to coerce your WordPress instance into…. A patch is available.

How to fix or mitigate CVE-2026-46697?

Within 24 hours: Immediately deactivate and remove the Fediverse Embeds plugin from all WordPress installations; verify no copies remain in use across your environment. Within 7 days: Extract and review server logs for requests to /ftf/media-proxy REST endpoint; cross-reference with AWS/cloud provider metadata access logs and internal network logs for anomalous requests originating from WordPress servers; inventory all systems this plugin version reached. Within 30 days: Establish monitoring and alerting for plugin security updates; when version 1.5.8 or later releases, develop and test deployment procedures for rapid emergency patching.

Fediverse Embeds CVE-2026-46697

EUVD-2026-36271 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-06-11 GitHub_M

PHP WordPress SSRF

7.5

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

vuln.today AI

7.5 HIGH

Unauthenticated REST route reachable over the network with a single GET (AV:N/AC:L/PR:N/UI:N); response body is returned to the caller giving high confidentiality, with no integrity or availability impact and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Jun 11, 2026 - 19:01 EUVD

Source Code Evidence Fetched

Jun 11, 2026 - 18:17 vuln.today

Analysis Generated

Jun 11, 2026 - 18:17 vuln.today

CVE Published

Jun 11, 2026 - 17:16 cve.org

HIGH 7.5

DescriptionCVE.org

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. The plugin's source contained a comment block explicitly acknowledging that the request should be validated against allowed fediverse domains, but in 1.5.7 the validation only set a local $can_download_media flag that was never read. The full response body was echoed back to the caller, so this was a full-read SSRF / open proxy reachable by any anonymous visitor. This issue has been patched in version 1.5.8.

Articles & Coverage 1

News 3 New WordPress Vulnerabilities - 1 Critical, 2 High Severity Jun 12, 2026

AnalysisAI

Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running Fediverse Embeds ≤1.5.7

Delivery

Base64-encode internal target URL (e.g., IMDS or intranet)

Exploit

GET /wp-json/ftf/media-proxy?url=<b64> anonymously

Execution

Plugin calls wp_remote_get server-side

Persist

Response body echoed to attacker

Impact

Harvest credentials or internal data

Access

Identify WordPress site running Fediverse Embeds ≤1.5.7

Delivery

Base64-encode internal target URL (e.g., IMDS or intranet)

Exploit

GET /wp-json/ftf/media-proxy?url=<b64> anonymously

Execution

Plugin calls wp_remote_get server-side

Persist

Response body echoed to attacker

Impact

Harvest credentials or internal data

Vulnerability AssessmentAI

Exploitation	Target site must have the Fediverse Embeds WordPress plugin installed and active at version 1.5.7 or earlier, with the REST API reachable from the attacker (default for any public WordPress install). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N is consistent with the description: an anonymous network attacker can reach the REST endpoint and read sensitive responses (cloud IMDS, internal admin panels, intranet apps) with no user interaction, hence high confidentiality and no integrity or availability impact under the unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker issues GET /wp-json/ftf/media-proxy?url=<base64(http://169.254.169.254/latest/meta-data/iam/security-credentials/)> against any WordPress site running Fediverse Embeds 1.5.7 or earlier; the plugin decodes the URL, calls wp_remote_get server-side from the WordPress host, and returns the IAM credential response in the HTTP body. The same primitive works against intranet admin panels, Redis/Elasticsearch HTTP interfaces, and internal staging hosts reachable from the WordPress server. …
Remediation	Vendor-released patch: upgrade Fediverse Embeds to version 1.5.8, which removes the vulnerable includes/Media_Proxy.php proxy path entirely (see commit 2f021faf4dadaccef67eda7b81a0b7ceaef450df and advisory GHSA-mpq6-hjh3-m543 at https://github.com/stefanbohacek/fediverse-embeds-wordpress-plugin/security/advisories/GHSA-mpq6-hjh3-m543). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately deactivate and remove the Fediverse Embeds plugin from all WordPress installations; verify no copies remain in use across your environment. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-46697 vulnerability details – vuln.today

Back

Fediverse Embeds CVE-2026-46697

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code