CVE-2026-46698 is a vulnerability in the Fediverse Embeds WordPress plugin prior to version 1.5.9. The plugin registered an unauthenticated AJAX action `wp_ajax_nopriv_ftf_get_site_info` that verified a nonce `ftf-fediverse-embeds-nonce` and then called `file_get_html($site_url)` on an attacker-supplied URL. The nonce was enqueued onto every public page containing a fediverse embed, making it accessible t [truncated]
CVE-2026-46697 is a HIGH severity vulnerability in the Fediverse Embeds WordPress plugin. Versions prior to 1.5.8 are vulnerable to a Server-Side Request Forgery (SSRF) attack. The plugin registered an unauthenticated REST route 'ftf/media-proxy' that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. This allowed any anonymous visitor to exploit the vul [truncated]
