Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects mandatory subscriber authentication; S:C and C:L/I:L reflect SSRF reaching internal network resources beyond the plugin boundary; A:N as no availability impact is described.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions.
AnalysisAI
Server-Side Request Forgery in the utm.codes WordPress plugin (versions ≤ 1.9.0) enables authenticated subscribers to induce the web server to issue arbitrary outbound HTTP requests, with the vulnerability scope extending beyond the plugin itself to potentially reachable internal network resources. The CVSS Scope:Changed rating reflects that a successful exploit can pivot the server's network identity to probe internal services, cloud metadata endpoints, or intranet hosts inaccessible to the attacker directly. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress subscriber-level account (or higher) on the target site, as confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 Medium score is consistent with a network-reachable, low-complexity SSRF requiring only a WordPress subscriber account (PR:L), with no user interaction needed and a Changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a WordPress subscriber account on a site running utm.codes ≤ 1.9.0, then submits a crafted payload URL - such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ - through the plugin's UTM link generation interface. The server fetches the URL using its own network identity and returns or processes the response, exposing AWS IAM temporary credentials to the attacker. … |
| Remediation | Update the utm.codes WordPress plugin to a version above 1.9.0 if a patched release has been published by the vendor; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/utm-dot-codes/vulnerability/wordpress-utm-codes-plugin-1-9-0-server-side-request-forgery-ssrf-vulnerability for the confirmed fix version, as no exact patched release number was available in the provided data (patch status: patch available per vendor advisory via Patchstack, but released fix version not independently confirmed from input). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39689
GHSA-h3w6-j9vx-xh22