Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24548

CVE-2026-24548: Radio Player Plugin SSRF Vulnerability

CVE-2026-24548 is a server-side request forgery flaw in the Radio Player WordPress plugin by princeahmed affecting versions up to 2.0.91. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2026-24548 Overview

CVE-2026-24548 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] affecting the princeahmed Radio Player plugin for WordPress. The flaw exists in all versions up to and including 2.0.91. An unauthenticated attacker can coerce the vulnerable WordPress server into issuing arbitrary HTTP requests to internal or external systems. The vulnerability carries a CVSS 3.1 score of 5.4 and requires high attack complexity but no authentication or user interaction.

Critical Impact

An unauthenticated remote attacker can abuse the Radio Player plugin to pivot requests through the WordPress host, reach internal network resources, and disclose limited confidentiality and integrity data outside the vulnerable component's security scope.

Affected Products

  • princeahmed Radio Player WordPress plugin (radio-player)
  • All versions from initial release through 2.0.91
  • WordPress sites running the plugin in default configuration

Discovery Timeline

  • 2026-01-23 - CVE-2026-24548 published to NVD
  • 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-24548

Vulnerability Analysis

The vulnerability is a Server-Side Request Forgery condition in the Radio Player plugin. The plugin accepts a user-controlled URL parameter and passes it to a server-side HTTP fetch routine without validating the destination host, scheme, or resolved IP address. This allows an attacker to direct the WordPress server to issue outbound requests to arbitrary endpoints, including internal RFC1918 ranges, loopback addresses, and cloud metadata services.

Because exploitation occurs from the server's network position, the request bypasses perimeter access controls protecting internal services. The CWE-918 classification confirms the underlying weakness is improper validation of an externally supplied URL used in a backend request. The EPSS probability remains low, indicating limited observed exploitation activity at the time of publication.

Root Cause

The root cause is missing allowlist validation on the URL parameter consumed by the plugin's server-side request handler. The plugin trusts client-supplied input when constructing outbound HTTP requests and does not restrict the target host, protocol, or port. No authentication is enforced on the affected endpoint, making the request reachable by anonymous network users.

Attack Vector

The attack is network-based and requires no privileges or user interaction. An attacker sends a crafted HTTP request to the vulnerable plugin endpoint containing a target URL. The WordPress server then performs the request against the attacker-specified destination and may return response data or behavioral signals to the attacker. The high attack complexity reflects conditions such as specific request shaping or timing required to obtain useful responses from internal targets. Refer to the Patchstack SSRF Vulnerability Advisory for the technical breakdown.

Detection Methods for CVE-2026-24548

Indicators of Compromise

  • Outbound HTTP requests originating from the WordPress PHP worker process to internal RFC1918 addresses, 127.0.0.1, or 169.254.169.254
  • Web server access logs showing repeated requests to Radio Player plugin AJAX or REST endpoints from a single source
  • Unexpected DNS lookups generated by the WordPress host targeting attacker-controlled domains
  • HTTP response anomalies in plugin endpoints returning content from non-public hosts

Detection Strategies

  • Inspect web server logs for requests to Radio Player plugin endpoints containing fully qualified URLs in query or POST parameters
  • Monitor egress traffic from WordPress hosts for connections to internal subnets or cloud metadata IPs that should not originate from a public-facing CMS
  • Deploy WAF rules that flag requests containing URL-shaped parameters destined for radio-player endpoints

Monitoring Recommendations

  • Enable DNS query logging on WordPress hosts and alert on lookups to internal-only zones
  • Capture process-level network telemetry to attribute outbound connections to the PHP worker rather than legitimate user traffic
  • Correlate plugin endpoint requests with subsequent egress connections within a short time window to identify SSRF chains

How to Mitigate CVE-2026-24548

Immediate Actions Required

  • Identify all WordPress installations running the Radio Player plugin at version 2.0.91 or earlier
  • Disable or remove the plugin until a patched release is installed and verified
  • Restrict outbound network access from WordPress hosts to only required destinations using host-based or network firewalls
  • Block access to cloud instance metadata endpoints (169.254.169.254) from the WordPress application layer

Patch Information

At the time of NVD publication, the advisory references versions through <= 2.0.91 as vulnerable. Administrators should consult the Patchstack SSRF Vulnerability Advisory and the plugin author's release notes for the fixed version and upgrade immediately once available.

Workarounds

  • Remove the Radio Player plugin from any WordPress instance that does not require its functionality
  • Apply a virtual patch via WAF to reject requests to plugin endpoints carrying URL parameters pointing to internal or loopback addresses
  • Enforce egress filtering so the WordPress PHP process can only reach approved external hosts on ports 80 and 443
bash
# Configuration example - egress restriction using iptables on the WordPress host
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne