{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0686", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T19:18:17.788Z", "datePublished": "2026-04-02T07:39:35.655Z", "dateUpdated": "2026-04-08T16:34:21.028Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:21.028Z"}, "affected": [{"vendor": "pfefferle", "product": "Webmention", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.6.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "title": "Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08d15c46-d15f-4803-80be-90bf33335c18?source=cve"}, {"url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/handler/class-mf2.php#L878"}, {"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/handler/class-mf2.php#L877"}, {"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-receiver.php#L260"}, {"url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Duong Quang Hao"}], "timeline": [{"time": "2026-01-07T19:33:54.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-01T19:17:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:44:33.774838Z", "id": "CVE-2026-0686", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:45:20.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0686", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:44:33.774838Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:45:05.733Z"}}], "cna": {"title": "Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Duong Quang Hao"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "pfefferle", "product": "Webmention", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.6.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-07T19:33:54.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-01T19:17:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08d15c46-d15f-4803-80be-90bf33335c18?source=cve"}, {"url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/handler/class-mf2.php#L878"}, {"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/handler/class-mf2.php#L877"}, {"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-receiver.php#L260"}, {"url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"}], "descriptions": [{"lang": "en", "value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:21.028Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0686", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:21.028Z", "dateReserved": "2026-01-07T19:18:17.788Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-02T07:39:35.655Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "id": "CVE-2026-0686", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-02T08:16:27.850", "references": [{"source": "security@wordfence.com", "url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/handler/class-mf2.php#L878"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-receiver.php#L260"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/handler/class-mf2.php#L877"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08d15c46-d15f-4803-80be-90bf33335c18?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.6.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Webmention", "source": "cna", "vendor": "pfefferle"}, "product": "webmention", "vendor": "pfefferle"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T09:22:00.179319+00:00", "value": {"mitigation_remediation": ["Update the Webmention plugin to any release newer than 5.6.2, which removes the vulnerable MF2::parse_authorpage call.", "Verify the update has installed the correct file and configuration by checking the plugin\u2019s change log or source; ensure that the Receiver::post handler no longer invokes the SSRF vector.", "If an immediate update is not possible, consider disabling the Webmention functionality or restricting outbound HTTP requests from the WordPress installation through firewall rules or web\u2011application firewall settings to mitigate unwanted SSRF traffic."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all Webmention plugin releases up to and including version 5.6.2, which is used within WordPress sites. Site administrators running these versions should verify plugin versioning and promptly apply an update that removes the vulnerable parse_authorpage call.", "description_and_impact": "The affected Webmention plugin allows unauthenticated attackers to trigger server\u2011side requests to arbitrary URLs through the MF2::parse_authorpage routine that runs during the Receiver::post handling. This form of SSRF can expose internal network resources, read sensitive data, or modify internal services, thereby compromising confidentiality and integrity of the host and any linked systems. The underlying weakness is identified as CWE\u2011918, a classic SSRF flaw where an attacker provides a crafted URL that the server fetches.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity. Although an EPSS score is not available, the absence of a known exploit in KEV suggests that exploitation may not yet be widespread, yet the unauthenticated nature and potential to access internal services make it a priority. Attackers would likely perform a POST request to the Webmention endpoint with a malicious URL; if the target system follows that URL, internal data may be disclosed or altered. Given the public availability of the code paths, successful exploitation is considered feasible in the intended environment."}}}}, "created": "2026-04-02T20:15:38.775268+00:00", "updated": "2026-04-02T20:22:14.434580+00:00", "vendors": ["pfefferle", "pfefferle$PRODUCT$webmention", "wordpress", "wordpress$PRODUCT$wordpress"]}