Fediverse Embeds < 1.5.8 – Unauthenticated SSRF via Site Info Endpoint | CVE 2026-12517

Description

The plugin does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.

Proof of Concept

The PoC will be displayed on July 02, 2026, to give users the time to update.

Affects Plugins

fediverse-embeds

Fixed in 1.5.8

References

CVE

CVE-2026-12517

Classification

Type

SSRF

OWASP top 10

A1: Injection

CWE

CWE-918

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

0xBassia

Submitter

0xBassia

Submitter website

https://github.com/0xBassia

Submitter twitter

MohamedBassia

Verified

Yes

WPVDB ID

460a996f-e27d-47e8-9d68-9e6be93100c0

Timeline

Publicly Published

2026-06-18 (about 4 days ago)

Added

2026-06-18 (about 3 days ago)

Last Updated

2026-06-18 (about 3 days ago)

Other

Published

Title

Published

2026-05-27

Title

Independent Analytics < 2.14.10 - Unauthenticated Server-Side Request Forgery via Tracking Route

Published

2025-11-17

Title

Local Syndication <= 1.5a - Authenticated (Contributor+) Server-Side Request Forgery via Shortcode

Published

2023-11-27

Title

12 Step Meeting List < 3.14.25 - Authenticated (Contributor+) Server-Side Request Forgery

Published

2022-02-28

Title

Formcraft3 < 3.8.28 - Unauthenticated SSRF

Published

2024-07-10

Title

BerqWP < 1.7.6 - Unauthenticated Server-Side Request Forgery