Skip to main content

utm.codes CVE-2026-56026

| EUVDEUVD-2026-39689 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-26 audit@patchstack.com GHSA-h3w6-j9vx-xh22
6.4
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

PR:L reflects mandatory subscriber authentication; S:C and C:L/I:L reflect SSRF reaching internal network resources beyond the plugin boundary; A:N as no availability impact is described.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:06 vuln.today

DescriptionCVE.org

Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions.

AnalysisAI

Server-Side Request Forgery in the utm.codes WordPress plugin (versions ≤ 1.9.0) enables authenticated subscribers to induce the web server to issue arbitrary outbound HTTP requests, with the vulnerability scope extending beyond the plugin itself to potentially reachable internal network resources. The CVSS Scope:Changed rating reflects that a successful exploit can pivot the server's network identity to probe internal services, cloud metadata endpoints, or intranet hosts inaccessible to the attacker directly. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress subscriber credentials
Delivery
Submit crafted internal URL via utm.codes interface
Exploit
Server issues SSRF request to internal target
Execution
Read response containing internal data or cloud metadata
Impact
Escalate using harvested credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress subscriber-level account (or higher) on the target site, as confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 Medium score is consistent with a network-reachable, low-complexity SSRF requiring only a WordPress subscriber account (PR:L), with no user interaction needed and a Changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a WordPress subscriber account on a site running utm.codes ≤ 1.9.0, then submits a crafted payload URL - such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ - through the plugin's UTM link generation interface. The server fetches the URL using its own network identity and returns or processes the response, exposing AWS IAM temporary credentials to the attacker. …
Remediation Update the utm.codes WordPress plugin to a version above 1.9.0 if a patched release has been published by the vendor; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/utm-dot-codes/vulnerability/wordpress-utm-codes-plugin-1-9-0-server-side-request-forgery-ssrf-vulnerability for the confirmed fix version, as no exact patched release number was available in the provided data (patch status: patch available per vendor advisory via Patchstack, but released fix version not independently confirmed from input). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56026 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy