Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery

Description

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affected Products

Vendor	Product	Versions
pfefferle	webmention	0

References

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-0688 | pfefferle Webmention Plugin up to 5.6.2 on WordPress Tools::read server-side request forgery

→ No new info (linked only)

CVSS 3.16.4 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-918

PublishedApr 2, 2026

Last enriched2h agov2

Trending Score49

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History