CVE-2026-46698

Published: Jun 11, 2026Modified: Jun 11, 2026Deferred

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/stefanbohacek/fediverse-embeds-wordpress-plugin/commit/93821405790ccc7a80528e91b34b624606b54969

Source: security-advisories@github.com

https://github.com/stefanbohacek/fediverse-embeds-wordpress-plugin/security/advisories/GHSA-cr42-rgq6-whjh

Source: security-advisories@github.com

https://github.com/stefanbohacek/fediverse-embeds-wordpress-plugin/security/advisories/GHSA-cr42-rgq6-whjh

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.