Skip to main content

URL Preview Plugin EUVDEUVD-2026-38656

| CVE-2026-12100 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-24 Wordfence GHSA-mpqw-xp9q-3fpc
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Unauthenticated network-reachable SSRF via 'url' parameter; scope changes to internal services with limited read/write impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:55 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
HIGH 7.2

DescriptionCVE.org

The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the 'url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

AnalysisAI

Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running URL Preview plugin
Delivery
Send unauthenticated request with malicious url parameter
Exploit
Server fetches attacker-chosen internal URL
Execution
Receive internal response data via plugin output
Persist
Extract cloud metadata or internal service data
Impact
Pivot using stolen credentials

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of any WordPress site running the URL Preview plugin version 1.0 or earlier with the plugin activated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects a network-reachable, unauthenticated, low-complexity flaw with scope change and limited confidentiality/integrity impact - consistent with classic SSRF where the WordPress host itself is not compromised but adjacent internal systems can be read or modified. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to the WordPress site's URL Preview endpoint with the 'url' parameter pointing at http://169.254.169.254/latest/meta-data/iam/security-credentials/ on a cloud-hosted WordPress install, causing the server to fetch and return cloud instance credentials. The same primitive can be used to probe internal-only services such as Redis, Elasticsearch, or admin panels bound to localhost, modifying state where those services accept HTTP verbs without authentication. …
Remediation No vendor-released patch identified at time of analysis - the advisory indicates the SSRF is present in all versions up to and including 1.0, with no fixed version cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Scan all WordPress installations for the URL Preview plugin; if present, immediately disable and uninstall it. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy