Perceptive Security
SOC/SIEM Consultancy
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' func…
Published:
1 April 2026 at 22:00:00
Alert date:
2 April 2026 at 09:01:29
Source:
nvd.nist.gov
Web Technologies
The WordPress Webmention plugin versions up to 5.6.2 contains a Server-Side Request Forgery vulnerability in the MF2::parse_authorpage function via the Receiver::post function. This vulnerability allows unauthenticated attackers to make arbitrary web requests from the application server, potentially enabling them to query and modify internal services. The flaw affects all versions up to and including 5.6.2 and can be exploited without authentication, making it a significant security risk for WordPress sites using this plugin.
Technical details
Mitigation steps:
Affected products:
WordPress Webmention Plugin
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-0686
https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/handler/class-mf2.php#L878
https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-receiver.php#L260
https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/handler/class-mf2.php#L877
https://plugins.trac.wordpress.org/changeset/3494831/webmention
https://www.wordfence.com/threat-intel/vulnerabilities/id/08d15c46-d15f-4803-80be-90bf33335c18?source=cve
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.