WordPress Plugin Vulnerabilities

Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF

Description

The plugin does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
performance-monitor
No known fix

References

CVE
CVE-2026-3881

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
Afshin Shekaari
Submitter
Afshin Shekaari
Verified
Yes
WPVDB ID
4b30421e-9848-45ce-87ab-0229d9d7df01

Timeline

Publicly Published
2026-03-10 (about 21 days ago)
Added
2026-03-10 (about 20 days ago)
Last Updated
2026-03-10 (about 20 days ago)

Other

Published
Title
Published
2025-12-31
Title
Genemy <= 1.6.6 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2014-08-01
Title
WordPress 1.5.1-3.5 - XML-RPC Pingback API Internal/External Port Scanning
Published
2026-01-15
Title
DK PDF – WordPress PDF Generator < 2.3.1 - Authenticated (Author+) Server-Side Request Forgery
Published
2026-01-27
Title
AI Engine < 3.3.3 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2024-04-22
Title
BuddyForms < 2.8.9 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery