CVE-2026-3478

Name of the Vulnerable Software and Affected Versions WordPress Content Syndication Toolkit plugin versions prior to 1.4

Description The WordPress Content Syndication Toolkit plugin is susceptible to a Server-Side Request Forgery issue. The plugin registers an unauthenticated proxy endpoint, ''wp ajax nopriv redux p'', which accepts a URL from the url GET parameter without validation. This parameter is passed to wp remote request(), lacking built-in SSRF protection. The absence of authentication checks, nonce verification, and URL restrictions allows attackers to make web requests to arbitrary locations from the web application, potentially enabling access to internal services, network scanning, and interaction with cloud metadata endpoints.

Recommendations Update to version 1.4 or later.