Fediverse Embeds < 1.5.8 – Unauthenticated SSRF via Media Proxy | CVE 2026-12516

Description

The plugin does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.

Proof of Concept

The PoC will be displayed on July 02, 2026, to give users the time to update.

Affects Plugins

fediverse-embeds

Fixed in 1.5.8

References

CVE

CVE-2026-12516

Classification

Type

SSRF

OWASP top 10

A1: Injection

CWE

CWE-918

CVSS

7.5 (high)

Miscellaneous

Original Researcher

0xBassia

Submitter

0xBassia

Submitter website

https://github.com/0xBassia

Submitter twitter

MohamedBassia

Verified

Yes

WPVDB ID

2ac80164-03b7-4966-b022-833b4194de80

Timeline

Publicly Published

2026-06-18 (about 2 days ago)

Added

2026-06-18 (about 2 days ago)

Last Updated

2026-06-19 (about 14 hours ago)

Other

Published

Title

Published

2026-01-06

Title

IMGspider <= 2.3.12 - Authenticated (Contributor+) Server-Side Request Forgery

Published

2021-04-13

Title

WP Smart Import < 1.0.1 - Auhenticated Server-side Request Forgery

Published

2014-11-30

Title

WordPress <= 4.0 - Server Side Request Forgery (SSRF)

Published

2026-05-21

Title

FluentCRM < 3.0.0 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter

Published

2024-12-05

Title

Broken Link Checker < 2.4.2 - Admin+ SSRF