{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/webmention/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-0686"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","wordpress","webmention","cve-2026-0686"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Webmention plugin for WordPress, a plugin designed to facilitate webmention communications, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-0686. This vulnerability affects all versions of the plugin up to and including 5.6.2. The vulnerability resides within the \u0026lsquo;MF2::parse_authorpage\u0026rsquo; function, accessible through the \u0026lsquo;Receiver::post\u0026rsquo; function. An unauthenticated attacker can exploit this flaw to force the WordPress server to make HTTP requests to arbitrary external or internal locations. This can be leveraged to gather sensitive information from internal services, bypass firewalls, or potentially modify data depending on the accessibility of internal resources. The vulnerable code was present as of April 2026 in the version 5.6.2 branch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious webmention request targeting a WordPress site running the vulnerable Webmention plugin.\u003c/li\u003e\n\u003cli\u003eThe WordPress site receives the webmention request and processes it using the \u0026lsquo;Receiver::post\u0026rsquo; function.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;Receiver::post\u0026rsquo; function calls the \u0026lsquo;MF2::parse_authorpage\u0026rsquo; function to parse the author page URL specified in the webmention request.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;MF2::parse_authorpage\u0026rsquo; function, due to lack of proper validation, makes an HTTP request to an attacker-controlled or internal URL specified within the webmention data.\u003c/li\u003e\n\u003cli\u003eThe WordPress server initiates a connection to the specified URL, potentially bypassing firewall restrictions or accessing internal services not directly exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe response from the targeted URL is processed by the plugin, potentially revealing information about the internal network or services.\u003c/li\u003e\n\u003cli\u003eDepending on the targeted internal service and the attacker\u0026rsquo;s crafted request, the attacker might be able to modify data or execute commands.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to information disclosure, internal service compromise, or potential remote code execution depending on the vulnerable internal service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0686 allows unauthenticated attackers to perform Server-Side Request Forgery attacks against WordPress sites utilizing the Webmention plugin. This can lead to the exposure of sensitive information from internal services, such as configuration files or database credentials. Furthermore, attackers could potentially leverage this vulnerability to interact with and potentially compromise other internal systems that are not directly accessible from the internet, leading to a full compromise of the affected network. While the exact number of affected WordPress installations is unknown, the widespread use of the Webmention plugin makes this a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Webmention plugin to a version higher than 5.6.2 to patch CVE-2026-0686.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Webmention SSRF Attempt via Request to Internal IP\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual outbound connections originating from the WordPress server to internal IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks, restricting access from the WordPress server to only necessary internal services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T08:16:27Z","date_published":"2026-04-02T08:16:27Z","id":"/briefs/2026-04-wordpress-webmention-ssrf/","summary":"The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 5.6.2, allowing unauthenticated attackers to make arbitrary web requests and potentially query or modify internal services.","title":"WordPress Webmention Plugin SSRF Vulnerability (CVE-2026-0686)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-webmention-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Webmention","version":"https://jsonfeed.org/version/1.1"}