CVE-2026-3478 Overview
The Content Syndication Toolkit plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 1.3. The vulnerability exists in the bundled ReduxFramework library, specifically within the redux_p AJAX action that exposes an unauthenticated proxy endpoint. This flaw allows remote attackers to make arbitrary web requests originating from the vulnerable WordPress server, potentially enabling access to internal services, cloud metadata endpoints, and internal network reconnaissance.
Critical Impact
Unauthenticated attackers can leverage this full-read SSRF vulnerability to query internal services, access cloud metadata endpoints (such as AWS IMDSv1), scan internal network ports, and potentially pivot to compromise internal infrastructure.
Affected Products
- Content Syndication Toolkit WordPress Plugin version 1.3 and earlier
- Bundled ReduxFramework library (class.p.php)
- WordPress installations with the affected plugin activated
Discovery Timeline
- 2026-03-21 - CVE CVE-2026-3478 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-3478
Vulnerability Analysis
This SSRF vulnerability is classified under CWE-918 (Server-Side Request Forgery). The vulnerability stems from the plugin registering an unauthenticated AJAX endpoint (wp_ajax_nopriv_redux_p) that functions as an open proxy. The proxy() method in the Redux_P class accepts a URL directly from the $_GET['url'] parameter without proper validation or sanitization.
The endpoint lacks fundamental security controls: there is no authentication check to verify the user's identity, no nonce verification to prevent CSRF attacks, and critically, no URL restriction or allowlist to limit which destinations can be requested. The regex pattern used for URL validation is set to `/.*/' which matches any input, effectively providing no protection.
When processing requests, the vulnerable code passes the attacker-supplied URL directly to WordPress's wp_remote_request() function. Unlike wp_safe_remote_request(), this function does not include built-in SSRF protections to block requests to internal or private IP ranges. The complete response from the requested URL is then returned to the attacker, making this a "full-read" SSRF that provides visibility into internal service responses.
Root Cause
The root cause of this vulnerability is the combination of several security failures in the ReduxFramework's Redux_P class: (1) exposing an AJAX action to unauthenticated users via the wp_ajax_nopriv_ hook prefix, (2) accepting user-supplied URLs without validation using a permissive regex pattern, (3) using wp_remote_request() instead of the safer wp_safe_remote_request() function, and (4) returning the complete server response to the requester without filtering sensitive data.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can craft malicious requests to the vulnerable AJAX endpoint, specifying internal URLs such as cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/), internal web applications, or private IP addresses. The WordPress server then acts as a proxy, making the request on behalf of the attacker and returning the response. This allows attackers to bypass network segmentation and access resources that should only be accessible from within the internal network.
The vulnerability can be exploited by sending a crafted HTTP request to the WordPress site's admin-ajax.php endpoint with the action parameter set to redux_p and a url parameter containing the target internal resource.
Detection Methods for CVE-2026-3478
Indicators of Compromise
- Suspicious requests to /wp-admin/admin-ajax.php with action=redux_p parameter from external IP addresses
- Unusual outbound network connections from the WordPress server to internal IP ranges or cloud metadata endpoints (e.g., 169.254.169.254)
- Web server logs showing requests containing URLs pointing to internal services in query parameters
- Increased traffic volume to internal services originating from the WordPress application server
Detection Strategies
- Monitor web application firewall (WAF) logs for requests containing action=redux_p parameter combinations
- Implement network-level detection rules for outbound requests to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) from web server processes
- Configure intrusion detection systems (IDS) to alert on cloud metadata endpoint access patterns
- Review WordPress debug logs for unexpected wp_remote_request() calls to internal addresses
Monitoring Recommendations
- Enable detailed logging on the WordPress server to capture all AJAX requests and their parameters
- Deploy network monitoring to track egress traffic from web application servers to internal networks
- Implement cloud security monitoring to detect metadata service access from application workloads
- Set up alerting for any outbound connections from WordPress to non-standard ports or RFC 1918 private IP addresses
How to Mitigate CVE-2026-3478
Immediate Actions Required
- Disable or remove the Content Syndication Toolkit plugin immediately if not essential to operations
- Implement WAF rules to block requests containing action=redux_p parameter to /wp-admin/admin-ajax.php
- Review server logs for evidence of exploitation attempts and investigate any suspicious outbound connections
- Conduct an audit of other WordPress plugins that may bundle older versions of ReduxFramework
Patch Information
Users should check for updates to the Content Syndication Toolkit plugin and apply any available security patches. The Wordfence Vulnerability Report provides additional technical details and remediation guidance. The vulnerable code can be reviewed in the WordPress Plugin Repository.
Workarounds
- Add a .htaccess or nginx configuration rule to block access to the vulnerable AJAX action when the plugin cannot be immediately removed
- Implement network-level egress filtering to prevent the WordPress server from making outbound requests to internal IP ranges
- Configure cloud instance metadata service to use IMDSv2 with session tokens to mitigate metadata endpoint access via SSRF
- Use a Web Application Firewall with SSRF protection rules to block requests containing internal IP addresses or sensitive hostnames
# Example nginx configuration to block the vulnerable endpoint
location /wp-admin/admin-ajax.php {
if ($arg_action = "redux_p") {
return 403;
}
# ... rest of your admin-ajax configuration
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
