PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5737 bensibley CVE debrief

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to and including 2.14.9. The vulnerability stems from a publicly accessible REST API endpoint at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when a signature validation check passes. The signature mechanism is insufficiently protected because the signature is embedded in publicly-accessible JavaScript and the salt remains static per site, enabling attackers to extract and forge valid signatures. Once malicious domains are injected into the database, a scheduled favicon fetcher job executes unrestricted cURL requests to these stored domains without implementing SSRF protections—specifically lacking localhost blocking, private network filtering, or use of WordPress's wp_safe_remote_* functions. This allows unauthenticated attackers to induce the server to make requests to arbitrary hosts, including internal services. The vulnerability was published on May 28, 2026, with a CVSS 3.1 score of 6.5 (Medium severity).

Vendor
bensibley
Product
Independent Analytics – WordPress Analytics Plugin
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using Independent Analytics plugin, security teams monitoring WordPress installations, hosting providers offering managed WordPress services, and organizations with internal services accessible from web server networks.

Technical summary

The vulnerability chain begins with signature extraction from public JavaScript, proceeds through forged requests to the /wp-json/iawp/search endpoint to inject malicious referrer domains, and culminates in server-side HTTP requests via the scheduled favicon fetcher's raw cURL implementation. The absence of SSRF protections in FaviconDownloader.php enables access to internal services and the metadata service on cloud-hosted WordPress installations.

Defensive priority

HIGH

Recommended defensive actions

  • Update Independent Analytics plugin to version 2.15.0 or later if available
  • Implement network egress filtering to restrict outbound connections from WordPress servers
  • Consider disabling the plugin until a patch is available if immediate update is not possible
  • Review server logs for suspicious outbound requests to internal IP ranges or unexpected domains
  • Apply WordPress hardening measures including restricting REST API access where functionality permits

Evidence notes

Source code analysis confirms the FaviconDownloader.php uses raw cURL functions without SSRF mitigations, and the REST_API.php endpoint at line 409 processes attacker-controlled referrer_url parameters. The signature validation weakness is documented in View.php where the static salt and client-side signature exposure enable forgery.

Official resources

The vulnerability was disclosed via Wordfence and published in the NVD on May 28, 2026. The disclosure includes source code references identifying the vulnerable components in both tagged version 2.14.4 and trunk.