EUVD-2026-14167
GHSA-4vr9-8jj4-gfwv
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis.
Analysis
The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests to internal services using dangerous protocols including Gopher. Versions up to and including 1.0.6 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations to identify Performance Monitor plugin usage and version numbers; immediately disable the plugin on all affected systems. Within 7 days: Implement WAF rules to block suspicious REST API requests to the vulnerable endpoint (/wp-json/performance-monitor/*); apply network segmentation to isolate WordPress servers from sensitive internal services like Redis. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today