{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1648", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T19:03:40.942Z", "datePublished": "2026-03-21T03:27:02.354Z", "dateUpdated": "2026-04-08T17:21:43.143Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:43.143Z"}, "affected": [{"vendor": "qrolic", "product": "Performance Monitor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis."}], "title": "Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f42f17-bce2-421e-9031-bfa0f8c26b2a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/performance-monitor/tags/1.0.6/includes/class-rest-callback.php#L168"}, {"url": "https://plugins.trac.wordpress.org/browser/performance-monitor/tags/1.0.6/admin/class-curl.php#L50"}, {"url": "https://github.com/assetnote/blind-ssrf-chains"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Afshin Shekaari"}], "timeline": [{"time": "2026-03-20T15:10:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"references": [{"url": "https://github.com/assetnote/blind-ssrf-chains", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:58:57.358956Z", "id": "CVE-2026-1648", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:03:03.486Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1648", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:58:57.358956Z"}}}], "references": [{"url": "https://github.com/assetnote/blind-ssrf-chains", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:02:50.414Z"}}], "cna": {"title": "Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Afshin Shekaari"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "qrolic", "product": "Performance Monitor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:10:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f42f17-bce2-421e-9031-bfa0f8c26b2a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/performance-monitor/tags/1.0.6/includes/class-rest-callback.php#L168"}, {"url": "https://plugins.trac.wordpress.org/browser/performance-monitor/tags/1.0.6/admin/class-curl.php#L50"}, {"url": "https://github.com/assetnote/blind-ssrf-chains"}], "descriptions": [{"lang": "en", "value": "The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:43.143Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1648", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:43.143Z", "dateReserved": "2026-01-29T19:03:40.942Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:02.354Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis."}, {"lang": "es", "value": "El plugin Performance Monitor para WordPress es vulnerable a la Falsificaci\u00f3n de Petici\u00f3n del Lado del Servidor en todas las versiones hasta la 1.0.6, inclusive. Esto se debe a la validaci\u00f3n insuficiente del par\u00e1metro 'url' en el endpoint de la API REST '/wp-json/performance-monitor/v1/curl_data'. Esto hace posible que atacantes no autenticados realicen peticiones web a ubicaciones arbitrarias, incluyendo servicios internos, a trav\u00e9s del protocolo Gopher y otros protocolos peligrosos. Esto puede ser explotado para lograr la Ejecuci\u00f3n Remota de C\u00f3digo encadenando con servicios como Redis."}], "id": "CVE-2026-1648", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:54.310", "references": [{"source": "security@wordfence.com", "url": "https://github.com/assetnote/blind-ssrf-chains"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/performance-monitor/tags/1.0.6/admin/class-curl.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/performance-monitor/tags/1.0.6/includes/class-rest-callback.php#L168"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f42f17-bce2-421e-9031-bfa0f8c26b2a?source=cve"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/assetnote/blind-ssrf-chains"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Performance Monitor", "source": "cna", "vendor": "qrolic"}, "product": "performance_monitor", "vendor": "qrolic"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:50:58.299939+00:00", "value": {"mitigation_remediation": ["Update the Performance Monitor plugin to a version newer than 1.0.6, or remove the plugin if it is no longer needed.", "If an immediate upgrade is not possible, restrict or disable the /wp-json/performance-monitor/v1/curl_data endpoint by requiring authentication or disabling the plugin\u2019s REST API capability.", "Block outbound traffic to dangerous protocols such as gopher, ssh, ftp at the network level to limit possible SSRF exploitation chains.", "Monitor the site\u2019s outbound HTTP activity for unusual or unexpected requests that may indicate an exploitation attempt."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerable component is the Performance Monitor WordPress plugin developed by qrolic. Versions up to and including 1.0.6 are affected, and all prior releases should be regarded as at risk. WordPress installations that have not upgraded past these releases remain vulnerable.", "description_and_impact": "An unauthenticated attacker can send a crafted request to the /wp-json/performance-monitor/v1/curl_data REST endpoint, allowing the WordPress site to initiate outgoing requests to arbitrary URLs, including internal services and protocols such as Gopher. This server\u2011side request forgery can be chained with vulnerable back\u2011end services like Redis to achieve remote code execution. The possible impact spans loss of confidentiality, integrity, and availability of the affected WordPress site.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 7.2, indicating high severity. No EPSS data is available, and it is not listed in CISA\u2019s known exploited vulnerabilities catalog. Because the endpoint is publicly reachable without authentication, the attack surface is large, making exploitation likely. The potential for remote code execution via SSRF chains further raises the risk profile."}}}}, "created": "2026-03-23T09:50:02.241558+00:00", "updated": "2026-03-25T14:41:42.613023+00:00", "vendors": ["qrolic", "qrolic$PRODUCT$performance_monitor", "wordpress", "wordpress$PRODUCT$wordpress"]}