PT-2026-56703 · Undefined · Undefined
0Xbassia
·
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-12517
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Undefined