๐Ÿ” CVE Alert

CVE-2026-12517

MEDIUM 5.3

Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Site Info Endpoint

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.

Vendor unknown
Product fediverse embeds
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for unknown fediverse embeds

Be the first to know when new medium vulnerabilities affecting unknown fediverse embeds are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Fediverse Embeds
0 < 1.5.8

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/460a996f-e27d-47e8-9d68-9e6be93100c0/

Credits

0xBassia WPScan