{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24548", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:46.854Z", "datePublished": "2026-01-23T14:28:52.689Z", "dateUpdated": "2026-04-28T16:14:49.120Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "radio-player", "product": "Radio Player", "vendor": "princeahmed", "versions": [{"lessThanOrEqual": "2.0.91", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:56.563Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.<p>This issue affects Radio Player: from n/a through <= 2.0.91.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.91."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.120Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Radio Player plugin <= 2.0.91 - Server Side Request Forgery (SSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:21:20.818056Z", "id": "CVE-2026-24548", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:21:23.651Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24548", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:21:20.818056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:53:46.154Z"}}], "cna": {"title": "WordPress Radio Player plugin <= 2.0.91 - Server Side Request Forgery (SSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "princeahmed", "product": "Radio Player", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.91"}], "packageName": "radio-player", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:56.563Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.91.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.<p>This issue affects Radio Player: from n/a through <= 2.0.91.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:05.975Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24548", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:21:23.651Z", "dateReserved": "2026-01-23T12:31:46.854Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:52.689Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.91."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Prince Radio Player radio-player permite falsificaci\u00f3n de petici\u00f3n del lado del servidor. Este problema afecta a Radio Player: desde n/a hasta &lt;= 2.0.91."}], "id": "CVE-2026-24548", "lastModified": "2026-04-28T15:16:12.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:10.940", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T00:56:14.771910+00:00", "value": {"mitigation_remediation": ["Update Radio Player to the latest available release where the SSRF issue is fixed.", "If an upgrade cannot be applied immediately, disable the Radio Player plugin or remove any components that perform external network requests until a patch is available.", "Configure the web server or a WAF to block outbound requests originating from WordPress to private IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) or restrict outgoing traffic for the plugin\u2019s process."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery allowing attackers to reach internal resources"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Radio Player plugin for WordPress from the initial release through version 2.0.91, delivered by the vendor princeahmed. Any WordPress site installing or running that plugin within this version range is affected.", "description_and_impact": "A server\u2011side request forgery (SSRF) flaw in the princeahmed Radio Player WordPress plugin permits a remote attacker to initiate HTTP or other protocol requests from the vulnerable server. Based on the nature of SSRF, it is inferred that an attacker could use this to expose internal network endpoints, allow arbitrary data exfiltration, or serve as a pivot for further attack steps. The weakness is identified as CWE\u2011918.", "risk_and_exploitability": "The CVSS v3.1 score is 5.4, indicating a medium impact. The EPSS score is below 1%, suggesting a low likelihood of widespread exploitation. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker would need to supply a crafted request through the plugin\u2019s functionality to trigger outbound traffic to a target resource; because the flaw does not grant code execution, the attack surface is limited to network access via the vulnerable server."}}}}, "created": "2026-01-26T11:53:00.403451+00:00", "updated": "2026-04-29T01:00:11.405959+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}