MEDIUM
bensibley
CVE published 2026-05-28
CVE-2026-5737
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to and including 2.14.9. The vulnerability stems from a publicly accessible REST API endpoint at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when a signature validation check passes. The signature mechanism is insufficiently protected because the signature is [truncated]