{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0688", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T19:31:01.518Z", "datePublished": "2026-04-02T07:39:34.999Z", "dateUpdated": "2026-04-08T16:32:45.483Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:45.483Z"}, "affected": [{"vendor": "pfefferle", "product": "Webmention", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.6.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "title": "Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02c9beba-dfa5-4a30-8355-62ff9a2630f7?source=cve"}, {"url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/class-tools.php#L81"}, {"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-tools.php#L81"}, {"url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Duong Quang Hao"}], "timeline": [{"time": "2026-01-07T19:46:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-01T19:17:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:23:17.279236Z", "id": "CVE-2026-0688", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:32:05.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0688", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:23:17.279236Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:23:38.518Z"}}], "cna": {"title": "Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Duong Quang Hao"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "pfefferle", "product": "Webmention", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.6.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-07T19:46:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-01T19:17:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02c9beba-dfa5-4a30-8355-62ff9a2630f7?source=cve"}, {"url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/class-tools.php#L81"}, {"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-tools.php#L81"}, {"url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"}], "descriptions": [{"lang": "en", "value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:45.483Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0688", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:45.483Z", "dateReserved": "2026-01-07T19:31:01.518Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-02T07:39:34.999Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "id": "CVE-2026-0688", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-02T08:16:28.057", "references": [{"source": "security@wordfence.com", "url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/class-tools.php#L81"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-tools.php#L81"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02c9beba-dfa5-4a30-8355-62ff9a2630f7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.6.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Webmention", "source": "cna", "vendor": "pfefferle"}, "product": "webmention", "vendor": "pfefferle"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T09:22:15.758248+00:00", "value": {"mitigation_remediation": ["Update the Webmention plugin to version 5.6.3 or later.", "If an immediate update is not possible, remove the plugin or set its permissions so that Subscriber accounts cannot access the read function.", "Monitor outgoing HTTP traffic from the WordPress instance for unexpected or unauthorized outbound requests.", "Consider applying a web application firewall rule to block or inspect outbound requests originating from the Webmention plugin until the update can be applied."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery enabling authenticated users to issue arbitrary web requests from the application"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Webmention plugin from the developer pfefferle. Versions up to and including 5.6.2 are affected; all newer releases contain the fix.", "description_and_impact": "The Webmention WordPress plugin contains a flaw in its read function that will send HTTP requests to any URL supplied by the caller. An attacker who can authenticate to the site with at least Subscriber privileges can trigger this function, allowing the plugin to reach internal network services, retrieve sensitive data, or modify state on those services. This type of vulnerability falls under the Server\u2011Side Request Forgery weakness and can potentially expose confidential information or compromise internal interfaces.", "risk_and_exploitability": "The CVSS base score is 6.4, indicating a moderate severity. No EPSS data is currently available and the issue is not listed in the CISA KEV catalog. Attack requires the victim to be authenticated with Subscriber-level or higher access, after which the attacker can remotely influence outbound requests. While exploitation does not give direct code execution, it can bypass network segmentation and lead to data leakage or further internal attacks."}}}}, "created": "2026-04-02T20:15:39.682640+00:00", "updated": "2026-04-02T20:22:15.398746+00:00", "vendors": ["pfefferle", "pfefferle$PRODUCT$webmention", "wordpress", "wordpress$PRODUCT$wordpress"]}