Skip to main content

Url Preview

1 CVEs product

Monthly

CVE-2026-12100 HIGH This Week

Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable given AV:N/AC:L/PR:N/UI:N.

WordPress SSRF Url Preview
NVD
CVSS 3.1
7.2
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable given AV:N/AC:L/PR:N/UI:N.

WordPress SSRF Url Preview
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy