Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery

Description

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affected Products

Vendor	Product	Versions
pfefferle	webmention	0

References

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-0686 | pfefferle Webmention Plugin up to 5.6.2 on WordPress MF2::parse_authorpage server-side request forgery

→ No new info (linked only)

CVSS 3.17.2 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-918

PublishedApr 2, 2026

Last enriched4h agov2

Trending Score49

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History