Security Alert Summary
The Webmention plugin for WordPress contains a server-side request forgery (SSRF) vulnerability via its Tools::read function in all versions up to and including 5.6.2. Authenticated users with Subscriber-level access or higher can cause the plugin to make web requests to arbitrary locations originating from the web application, which may allow querying or modification of internal services.
CVE Details
- CVE ID: CVE-2026-0688
- Affected plugin or component: The Webmention plugin for WordPress
- Affected versions: All versions up to and including 5.6.2
- Published: April 2, 2026 at 8:16:28 AM
- Last modified: April 2, 2026 at 8:16:28 AM
- CVSS v3.1: Base score 6.4 – MEDIUM; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Authentication / Privileges / User interaction: Requires an authenticated user; privileges required: Low (Subscriber-level and above); user interaction: None
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- Weakness (CWE): CWE-918 (Server-Side Request Forgery)
Technical Details
The vulnerability is a server-side request forgery (SSRF) that exists in the plugin’s Tools::read function. When invoked by an authenticated user with sufficient privileges, the function can be used to instruct the application to make HTTP requests to arbitrary URLs. Because these requests originate from the web server, they can reach internal services that are not accessible externally. The CVE description states that the issue allows attackers to make web requests to arbitrary locations and can be used to query and modify information from internal services.
This behavior stems from the lack of proper validation or restrictions on destinations in the Tools::read code path. The JSON references point to the plugin file where the function is implemented, indicating the location of the vulnerable code.
How This Could Impact Your Website
In a typical small business WordPress site, a site owner may grant contributor or subscriber accounts to internal staff, contractors, or external contributors. If one of those accounts is used to trigger the vulnerable function, an attacker could cause the site to make requests to internal systems such as management interfaces, internal APIs, or metadata endpoints. Practical consequences include exposure of internal service responses, disclosure of internal network structure, and the potential for extracting sensitive information that could be used in follow-up attacks like targeted phishing or social engineering.
The impact described in the CVSS data is limited to low confidentiality and integrity effects and no availability impact, so it does not imply full site takeover. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and subscriber accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, including unexpected outbound requests from the webserver.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/class-tools.php#L81
- https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-tools.php#L81
- https://plugins.trac.wordpress.org/changeset/3494831/webmention
- https://www.wordfence.com/threat-intel/vulnerabilities/id/02c9beba-dfa5-4a30-8355-62ff9a2630f7?source=cve
