CVE-2026-0686

High

Published: 02 April 2026

Published

02 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0008 23.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0686 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates untrusted inputs to the MF2::parse_authorpage function to prevent processing malicious URLs that trigger unauthorized server-side requests to arbitrary locations.

SC-7 Boundary Protection good match

preventdetect

Monitors and controls outbound communications at the web application boundary to block requests to internal or unauthorized services exploited via SSRF.

AC-4 Information Flow Enforcement partial match

prevent

Enforces flow control policies restricting the web server from initiating connections to internal services based on untrusted plugin inputs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF in public-facing WordPress plugin directly enables T1190 exploitation; also facilitates internal network service discovery via arbitrary outbound requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary…

locations originating from the web application and can be used to query and modify information from internal services.

Deeper analysisAI

CVE-2026-0686, published on 2026-04-02, is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 in the Webmention plugin for WordPress. It affects all versions up to and including 5.6.2, specifically in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. The flaw enables the plugin to process requests that lead to unauthorized outbound connections from the server.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). Exploitation allows attackers to initiate web requests to arbitrary locations originating from the vulnerable web application, potentially querying or modifying information from internal services.

References include code locations in the plugin's GitHub and WordPress trac repositories, a patch changeset at https://plugins.trac.wordpress.org/changeset/3494831/webmention, and a Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/08d15c46-d15f-4803-80be-90bf33335c18?source=cve, which outline the issue and remediation steps.