Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12100

CVE-2026-12100: WordPress URL Preview Plugin SSRF Flaw

CVE-2026-12100 is a Server-Side Request Forgery flaw in the WordPress URL Preview plugin that allows unauthenticated attackers to make requests to internal services. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-12100 Overview

CVE-2026-12100 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in the URL Preview plugin for WordPress. The flaw affects all versions up to and including 1.0 and resides in the handling of the url parameter. Unauthenticated attackers can send crafted requests that cause the WordPress server to issue arbitrary outbound HTTP requests. Attackers can use this primitive to probe internal network services, reach cloud metadata endpoints, and interact with non-public APIs that trust the WordPress host. The vulnerability requires no authentication and no user interaction, making it directly reachable from the public internet on any site running the plugin.

Critical Impact

Unauthenticated attackers can coerce the WordPress server into making arbitrary HTTP requests to internal services, enabling reconnaissance and interaction with otherwise unreachable systems.

Affected Products

  • WordPress URL Preview plugin (slug: link-preview) versions ≤ 1.0
  • WordPress sites with the URL Preview plugin installed and active
  • Hosting environments exposing the affected plugin endpoint to unauthenticated requests

Discovery Timeline

  • 2026-06-24 - CVE-2026-12100 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-12100

Vulnerability Analysis

The URL Preview plugin exposes functionality that fetches a remote URL supplied through the url request parameter and returns preview content. The plugin accepts attacker-controlled input without validating the destination scheme, host, or address range. As a result, the WordPress server performs an outbound HTTP request on the attacker's behalf to any location the attacker specifies.

This SSRF can target loopback addresses such as 127.0.0.1, RFC1918 ranges, link-local cloud metadata services like 169.254.169.254, and other internal hosts that trust traffic originating from the application server. Attackers can use the primitive to enumerate internal services, retrieve cloud instance credentials, and interact with administrative interfaces that are not exposed externally.

Root Cause

The root cause is missing validation of the url parameter prior to issuing a server-side HTTP request in the plugin's link preview routine. Source files class.linkpreview.php (lines around 30 and 112) construct and execute the outbound request using the user-supplied value without enforcing an allowlist of hosts, restricting schemes to http/https, or blocking private and reserved IP ranges.

Attack Vector

The attack vector is network-based and unauthenticated. An attacker sends an HTTP request to the vulnerable WordPress endpoint with the url parameter pointing to an internal or otherwise restricted target. The WordPress host issues the request and may return response data, response metadata, or timing information that the attacker uses to map internal infrastructure. No user interaction or privileges are required.

No verified public exploit code is available for CVE-2026-12100. Technical details are documented in the Wordfence Vulnerability Report and the WordPress Plugin Source Code.

Detection Methods for CVE-2026-12100

Indicators of Compromise

  • Web server access logs showing requests to URL Preview plugin endpoints carrying a url parameter referencing internal IP ranges, localhost, or 169.254.169.254.
  • Outbound connections from the WordPress host to internal subnets, cloud metadata endpoints, or unusual external hosts that do not match normal site behavior.
  • Repeated requests with sequential or scripted variations of the url parameter indicating SSRF probing or port scanning.

Detection Strategies

  • Inspect HTTP request logs for the url query parameter targeting non-public destinations and alert on private, loopback, or link-local address patterns.
  • Correlate inbound requests to the plugin with outbound connections from the WordPress host to identify SSRF-induced traffic flows.
  • Deploy Web Application Firewall (WAF) rules that block requests where the url parameter resolves to RFC1918, loopback, or cloud metadata addresses.

Monitoring Recommendations

  • Monitor egress traffic from web servers and alert on connections to internal management interfaces, databases, or metadata services.
  • Enable verbose logging of plugin invocations and forward logs to a centralized analytics platform for retention and search.
  • Baseline normal outbound destinations for the WordPress server and alert on deviations.

How to Mitigate CVE-2026-12100

Immediate Actions Required

  • Disable or uninstall the URL Preview plugin on any WordPress site running version 1.0 or earlier until a patched release is published.
  • Restrict egress from WordPress hosts so they cannot reach internal management networks, databases, or cloud metadata endpoints directly.
  • Deploy WAF signatures that reject requests to the plugin endpoint when the url parameter targets private or reserved IP ranges.

Patch Information

No fixed version is identified in the published advisory at the time of writing. Review the Wordfence Vulnerability Report for updates and apply the vendor patch as soon as it becomes available.

Workarounds

  • Block public access to the plugin's preview endpoint at the reverse proxy or WAF layer.
  • Configure outbound firewall rules to deny traffic from the WordPress host to RFC1918, loopback, and 169.254.169.254 destinations.
  • Use IMDSv2 on AWS workloads to require session tokens for instance metadata access, reducing SSRF impact against cloud credentials.
bash
# Example egress restriction using iptables on the WordPress host
iptables -A OUTPUT -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -d 169.254.0.0/16 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.