Fediverse Embeds WordPress Plugin Site Info SSRF Vulnerability
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.
Quick answer
Fediverse Embeds should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Fediverse Embeds before 1.5.8
Fixed versions
- 1.5.8
How to fix it
Fediverse Embeds for WordPress before 1.5.8 exposed an unauthenticated site-info SSRF path. Update the plugin and block server-side requests to private, loopback, link-local, and metadata service addresses.
- Inventory WordPress sites running the Fediverse Embeds plugin and identify versions before 1.5.8.
- Update Fediverse Embeds to version 1.5.8 or later from a trusted WordPress source.
- Temporarily disable the plugin if an immediate update is not possible.
- Block outbound HTTP requests from WordPress to private IP ranges, loopback addresses, link-local networks, and cloud metadata endpoints.
- Review web server and WordPress logs for unusual site-info requests or requests targeting internal hostnames.
- Apply least-privilege network egress controls to PHP-FPM or the web server user.
- Purge caches and retest Fediverse embed functionality after patching.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Fediverse Embeds is running version 1.5.8 or later.
- Verify unauthenticated users cannot use the site-info endpoint to reach internal URLs.
- Test that internal and metadata service URLs are blocked by network egress policy.
- Review access logs for SSRF probes and follow up on any successful internal responses.
- Run a Fixnx scan and confirm the WordPress site does not expose vulnerable plugin endpoints.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-12517?
Fediverse Embeds versions listed as affected should be reviewed: Fediverse Embeds before 1.5.8.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
