{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3881", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-03-10T13:33:15.768Z", "datePublished": "2026-03-31T06:00:06.964Z", "dateUpdated": "2026-04-02T12:39:58.231Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:58.231Z"}, "title": "Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF", "problemTypes": [{"descriptions": [{"description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Performance Monitor", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.0.6"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks"}], "references": [{"url": "https://wpscan.com/vulnerability/4b30421e-9848-45ce-87ab-0229d9d7df01/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Afshin Shekaari", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:56:08.056806Z", "id": "CVE-2026-3881", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:57:52.001Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3881", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:56:08.056806Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:54:16.774Z"}}], "cna": {"title": "Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Afshin Shekaari"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Performance Monitor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.6"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/4b30421e-9848-45ce-87ab-0229d9d7df01/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:58.231Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3881", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:58.231Z", "dateReserved": "2026-03-10T13:33:15.768Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-31T06:00:06.964Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks"}, {"lang": "es", "value": "El plugin de WordPress Performance Monitor hasta la 1.0.6 no valida un par\u00e1metro antes de realizar una solicitud al mismo, lo que podr\u00eda permitir a usuarios no autenticados realizar ataques SSRF."}], "id": "CVE-2026-3881", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-31T07:16:12.283", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/4b30421e-9848-45ce-87ab-0229d9d7df01/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.6]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "Performance Monitor", "source": "cna", "vendor": "Unknown"}, "product": "performance_monitor", "vendor": "performance_monitor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-31T16:24:38.512198+00:00", "value": {"mitigation_remediation": ["Update the Performance Monitor plugin to version 1.0.7 or later as soon as possible.", "If an immediate update is not possible, temporarily block external requests from the plugin's endpoint using a firewall or redirect the request to a restricted interface.", "Monitor server logs for unexpected outbound HTTP requests originating from the plugin."], "summary": {"action": "Patch immediately", "impact": "Unauthenticated blind SSRF"}, "threat_synthesis": {"affected_systems": "WordPress sites that install the Performance Monitor plugin with a version of 1.0.6 or earlier. The plugin vendor is unknown; all installations of the affected plugin are susceptible.", "description_and_impact": "The vulnerability in the Performance Monitor WordPress plugin up to version 1.0.6 occurs because the plugin does not validate a request parameter before making an outbound HTTP request.\nAn unauthenticated user can supply a crafted URL, causing the plugin to fetch resources on behalf of the server. The response is not returned to the attacker, making the SSRF blind, but the attacker can still force the server to contact internal or external resources, potentially exfiltrating data or triggering unauthorized actions.", "risk_and_exploitability": "The CVSS base score of 5.8 indicates moderate severity. The EPSS score is below 1\u202f%, suggesting that real\u2011world exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw is exploitable without authentication and can be triggered via a simple HTTP request, administrators should regard it as a medium risk within their environment. An attacker could manipulate the server to access internal network resources or leak sensitive data through outbound requests."}}}}, "created": "2026-03-31T19:56:09.038600+00:00", "updated": "2026-04-03T09:10:28.974260+00:00", "vendors": ["performance_monitor", "performance_monitor$PRODUCT$performance_monitor", "wordpress", "wordpress$PRODUCT$wordpress"]}