EUVD-2026-18132
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Analysis
Server-Side Request Forgery (SSRF) in WordPress Webmention plugin versions ≤5.6.2 allows unauthenticated remote attackers to force the web server to make arbitrary HTTP requests to internal or external systems. The vulnerability exists in the MF2::parse_authorpage function called through Receiver::post, enabling attackers to probe internal network services, exfiltrate data from cloud metadata endpoints, or modify internal resources. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress instances running Webmention plugin ≤5.6.2 and disable or deactivate the plugin immediately. Within 7 days: Contact plugin vendor for patch status and timeline; implement network segmentation to restrict outbound HTTP/HTTPS requests from web servers to internal systems (via firewall rules or WAF). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today