WordPress Plugin Vulnerabilities

Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF

Description

The plugin does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
performance-monitor
No known fix

References

CVE
CVE-2026-3881

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
Afshin Shekaari
Submitter
Afshin Shekaari
Verified
Yes
WPVDB ID
4b30421e-9848-45ce-87ab-0229d9d7df01

Timeline

Publicly Published
2026-03-10 (about 1 month ago)
Added
2026-03-10 (about 1 month ago)
Last Updated
2026-03-10 (about 1 month ago)

Other

Published
Title
Published
2025-05-13
Title
Ninja Forms Webhooks < 3.0.8 - Authenticated (Admin+) Server-Side Request Forgery via Form Webhook
Published
2025-08-26
Title
Chartbeat <= 2.0.7 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2024-12-12
Title
Radio Player < 2.0.85 - Unauthenticated Server-Side Request Forgery
Published
2024-04-16
Title
Really Simple SSL < 8.0.0 - Admin+ Server-Side Request Forgery
Published
2025-09-26
Title
PopAd <= 1.0.4 - Authenticated (Admin+) Server-Side Request Forgery