CVE-2026-46697 stefanbohacek CVE debrief

Who should care

Users of the Fediverse Embeds WordPress plugin, particularly those who have not updated to version 1.5.8 or later, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The Fediverse Embeds WordPress plugin, prior to version 1.5.8, had a vulnerability that allowed for SSRF attacks. This was due to an unauthenticated REST route 'ftf/media-proxy' that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without proper validation. The plugin's source code had a comment block indicating that the request should be validated against allowed fediverse domains, but this validation was not properly implemented in version 1.5.7.

Defensive priority

HIGH

Recommended defensive actions

• Update the Fediverse Embeds WordPress plugin to version 1.5.8 or later.
• Restrict access to the 'ftf/media-proxy' REST route to authenticated users only.
• Implement proper validation for requests to ensure they are only sent to allowed fediverse domains.

Evidence notes

The CVE-2026-46697 vulnerability was patched in version 1.5.8 of the Fediverse Embeds WordPress plugin. The vulnerability had a CVSS score of 7.5 and was classified as HIGH severity.

Official resources