PatchSiren cyber security CVE debrief
CVE-2026-46698 stefanbohacek CVE debrief
CVE-2026-46698 is a vulnerability in the Fediverse Embeds WordPress plugin prior to version 1.5.9. The plugin registered an unauthenticated AJAX action `wp_ajax_nopriv_ftf_get_site_info` that verified a nonce `ftf-fediverse-embeds-nonce` and then called `file_get_html($site_url)` on an attacker-supplied URL. The nonce was enqueued onto every public page containing a fediverse embed, making it accessible to any visitor. This allowed an attacker to reuse the nonce and potentially exploit the vulnerability. The issue has been patched in version 1.5.9.
- Vendor
- stefanbohacek
- Product
- fediverse-embeds-wordpress-plugin
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of the Fediverse Embeds WordPress plugin prior to version 1.5.9 should update to the latest version to prevent potential exploitation of this vulnerability.
Technical summary
The Fediverse Embeds WordPress plugin prior to version 1.5.9 had an unauthenticated AJAX action `wp_ajax_nopriv_ftf_get_site_info` that verified a nonce `ftf-fediverse-embeds-nonce` and then called `file_get_html($site_url)` on an attacker-supplied URL. The CVSS score for this vulnerability is 5.3, with a severity rating of MEDIUM.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 1.5.9 or later
Evidence notes
The CVE-2026-46698 vulnerability was patched in version 1.5.9 of the Fediverse Embeds WordPress plugin. The [cve-org] CVE record and [nvd] NVD detail provide additional information on this vulnerability.
Official resources
CVE-2026-46698 was published on 2026-06-11T18:16:26.093Z and modified on 2026-06-11T20:59:55.650Z.