CVE-2026-5737 Overview
The Independent Analytics plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability affecting all versions up to and including 2.14.9. Unauthenticated attackers can inject arbitrary referrer domains through the /wp-json/iawp/search REST API endpoint and trigger server-side HTTP requests to attacker-chosen hosts. The plugin's scheduled favicon fetcher then performs raw cURL requests against these stored domains without any SSRF protections, enabling probing of internal network services. The flaw is categorized as CWE-918.
Critical Impact
Unauthenticated attackers can force the WordPress server to issue HTTP requests to internal services, localhost endpoints, and cloud metadata APIs.
Affected Products
- Independent Analytics plugin for WordPress (all versions through 2.14.9)
- WordPress sites with the independent-analytics plugin active
- Hosting environments exposing internal services reachable from the WordPress host
Discovery Timeline
- 2026-05-28 - CVE-2026-5737 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-5737
Vulnerability Analysis
The vulnerability resides in the plugin's public tracking endpoint and its asynchronous favicon download routine. The /wp-json/iawp/search route accepts a referrer_url parameter from unauthenticated clients when a request signature validates successfully. The signature scheme, however, is not a secret: the validation key is embedded in publicly accessible JavaScript served to site visitors, and the per-site salt is static.
Attackers can extract valid signatures from any page that loads the analytics tracker and replay them with attacker-controlled referrer_url values. Once stored, the domain is later processed by the FetchFaviconsJob scheduled task, which invokes FaviconDownloader.php to retrieve the site's favicon over HTTP. The downloader uses raw cURL primitives instead of WordPress's hardened wp_safe_remote_get() helpers.
Root Cause
Two design defects combine to produce the SSRF. First, the signature gating on the REST route is not a true authentication boundary because the signing material is exposed to clients. Second, the favicon fetcher in FaviconDownloader.php lacks any URL allowlist, private-network filter, or loopback restriction. There is no check against IPv4 ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.169.254, nor against IPv6 link-local addresses.
Attack Vector
An unauthenticated attacker first retrieves the analytics JavaScript from any public page of the target site and extracts the embedded signature material. The attacker then crafts a POST request to /wp-json/iawp/search with a forged signature and a referrer_url pointing to an internal target such as http://127.0.0.1:8080/ or http://169.254.169.254/latest/meta-data/. The malicious domain is persisted in the plugin's database. When FetchFaviconsJob next executes via WP-Cron, the server issues an unconstrained cURL request to the attacker-specified host. See the Wordfence Vulnerability Report for additional analysis.
Detection Methods for CVE-2026-5737
Indicators of Compromise
- POST requests to /wp-json/iawp/search containing referrer_url values pointing to RFC1918 addresses, localhost, 127.0.0.1, or 169.254.169.254
- Outbound cURL requests from the WordPress PHP worker process to internal network ranges that do not normally receive traffic from the web tier
- Unexpected entries in the wp_iawp_* plugin tables referencing non-public hostnames
- Repeated favicon fetch failures in WordPress error logs for unusual domains
Detection Strategies
- Inspect web server access logs for unauthenticated POST traffic to /wp-json/iawp/search with anomalous referrer parameters
- Correlate WP-Cron execution windows with outbound network connections from the PHP-FPM process to internal subnets
- Hunt for cloud metadata service access (169.254.169.254) originating from the WordPress host
Monitoring Recommendations
- Enable egress logging on the WordPress server and alert on connections to private IP ranges from PHP processes
- Inspect the plugin's database tables for stored referrer domains and flag entries containing IP literals or internal hostnames
- Forward WordPress REST API access logs to a centralized analytics platform for retrospective analysis
How to Mitigate CVE-2026-5737
Immediate Actions Required
- Update the Independent Analytics plugin to a version later than 2.14.9 once the vendor publishes a fix
- Audit the plugin's database tables and remove any referrer entries pointing to internal or non-public hosts
- Restrict outbound connectivity from the WordPress server to deny traffic to RFC1918 ranges and 169.254.169.254
- Disable the plugin if a patched version is not yet available and the site is internet-exposed
Patch Information
Review the WordPress.org plugin repository for the latest release and consult the WordPress Version Changeset for code-level changes. The vulnerable logic is documented in FaviconDownloader.php, FetchFaviconsJob.php, and REST_API.php.
Workarounds
- Block external access to /wp-json/iawp/search at the web application firewall layer until a patched plugin version is installed
- Configure host-level egress filtering to prevent the WordPress server from reaching internal services and cloud metadata endpoints
- Disable WP-Cron execution for the iawp_fetch_favicons scheduled hook to prevent the favicon fetcher from running
# Example nginx rule to block the vulnerable endpoint
location = /wp-json/iawp/search {
deny all;
return 403;
}
# Example iptables egress restriction for the WordPress host
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
