mediumCVE-2026-12517

Fediverse Embeds WordPress Plugin Site Info SSRF Vulnerability

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.

ProductFediverse Embeds
CVSS5.3
EPSS0.00132
UpdatedJuly 10, 2026

Quick answer

Fediverse Embeds should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Fediverse Embeds before 1.5.8

Fixed versions

  • 1.5.8

How to fix it

Fediverse Embeds for WordPress before 1.5.8 exposed an unauthenticated site-info SSRF path. Update the plugin and block server-side requests to private, loopback, link-local, and metadata service addresses.

  1. Inventory WordPress sites running the Fediverse Embeds plugin and identify versions before 1.5.8.
  2. Update Fediverse Embeds to version 1.5.8 or later from a trusted WordPress source.
  3. Temporarily disable the plugin if an immediate update is not possible.
  4. Block outbound HTTP requests from WordPress to private IP ranges, loopback addresses, link-local networks, and cloud metadata endpoints.
  5. Review web server and WordPress logs for unusual site-info requests or requests targeting internal hostnames.
  6. Apply least-privilege network egress controls to PHP-FPM or the web server user.
  7. Purge caches and retest Fediverse embed functionality after patching.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Fediverse Embeds is running version 1.5.8 or later.
  • Verify unauthenticated users cannot use the site-info endpoint to reach internal URLs.
  • Test that internal and metadata service URLs are blocked by network egress policy.
  • Review access logs for SSRF probes and follow up on any successful internal responses.
  • Run a Fixnx scan and confirm the WordPress site does not expose vulnerable plugin endpoints.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-12517?

Fediverse Embeds versions listed as affected should be reviewed: Fediverse Embeds before 1.5.8.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.