Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network SSRF with scope change to internal services; raised C to H because echoed 'auth' field directly exfiltrates credentials, no integrity/availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints.
Articles & Coverage 1
AnalysisAI
Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the Kargo Takip plugin (version ≤ 1.2) be installed and active on a network-reachable WordPress site, and that the attacker can reach the plugin's decodeandview.php endpoint with a controllable 'api_url' query parameter - no authentication, no user interaction, and no non-default configuration is needed (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (7.2 High) is consistent with the description: unauthenticated, network-reachable, low complexity, and a scope change because the vulnerable WordPress process can reach internal systems outside its security authority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a single HTTP request to the public WordPress site invoking decodeandview.php with api_url=http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>, causing the server to fetch the cloud instance metadata response and echo the JSON 'auth' field - containing temporary AWS credentials - back in the HTTP response. The attacker then uses those credentials from their own host to pivot into the victim's cloud account. … |
| Remediation | No vendor-released patch identified at time of analysis - the references point to the current trunk source of the vulnerable file, not a tagged fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances using Kargo Takip plugin; disable and remove the plugin immediately from all installations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kargo Takip
View allSame weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38670
GHSA-mjcx-qfvm-369j