The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' func…

Published:

1 april 2026 om 22:00:00

Alert date:

2 april 2026 om 09:01:29

Source:

nvd.nist.gov

Web Technologies

The WordPress Webmention plugin versions up to 5.6.2 contains a Server-Side Request Forgery vulnerability in the MF2::parse_authorpage function via the Receiver::post function. This vulnerability allows unauthenticated attackers to make arbitrary web requests from the application server, potentially enabling them to query and modify internal services. The flaw affects all versions up to and including 5.6.2 and can be exploited without authentication, making it a significant security risk for WordPress sites using this plugin.

Technical details

Mitigation steps:

Affected products:

WordPress Webmention Plugin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-0686
https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/handler/class-mf2.php#L878
https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-receiver.php#L260
https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/handler/class-mf2.php#L877
https://plugins.trac.wordpress.org/changeset/3494831/webmention
https://www.wordfence.com/threat-intel/vulnerabilities/id/08d15c46-d15f-4803-80be-90bf33335c18?source=cve

Related CVE's:

CVE-2026-0686

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.