Security Alert Summary
The Fediverse Embeds plugin registered an unauthenticated REST route that forwarded a base64-encoded URL to wp_remote_get($url) without enforcing an allowlist. The full response body was returned to the caller, making the route usable as a full-read SSRF / open proxy by any anonymous visitor. According to the advisory, this behavior was addressed in version 1.5.8.
CVE Details
- CVE ID: CVE-2026-46697
- Affected component: Fediverse Embeds plugin (REST route
ftf/media-proxy, fileincludes/Media_Proxy.php) - Affected versions: Prior to version 1.5.8
- Published: June 11, 2026 at 6:16:25 PM UTC
- Last modified: June 11, 2026 at 8:59:55 PM UTC
- CVSS v3.1: Base Score 7.5 — High; Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Authentication / privileges / user interaction: No authentication required; privileges required: none; user interaction: none
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- CWE / weakness ID: CWE-918
Technical Details
The plugin exposed a REST endpoint ftf/media-proxy implemented in includes/Media_Proxy.php. That route used permission_callback => __return_true, allowing anonymous access. The endpoint accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing an allowlist of trusted fediverse domains.
The plugin source included a comment noting that requests should be validated against allowed fediverse domains, but in the referenced release the validation only set a local $can_download_media flag that was never read. Because the full response body was echoed back to the caller, the endpoint functioned as a full-read SSRF / open proxy reachable by any anonymous visitor. The advisory states this was addressed in version 1.5.8.
How This Could Impact Your Website
In a typical small- or medium-sized WordPress site, multiple people may interact with content and embeds: a site owner, internal staff or editors who add embeds, and external contractors or contributors who prepare content. An anonymous attacker could abuse the open proxy behavior to fetch internal or external URLs and return their contents. Practically, that could disclose sensitive responses from internal services, private endpoints, or content that is not intended to be public.
Possible consequences include exposure of internal user information (for example, data reachable from internal URLs), and an increased risk of targeted phishing or social engineering if an attacker can access email lists or other confidential data. The vulnerability description indicates a confidentiality impact; it does not indicate direct integrity or availability impacts. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin to version 1.5.8 (or later) as soon as possible.
- Review and reduce unnecessary user roles, especially contributor-level access for untrusted accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and logs for unusual requests to REST endpoints or unexpected outgoing requests initiated by plugins.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
