Cyber Resilience

CVE-2026-1648

High

Published: 21 March 2026

Published
21 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0006 18.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1648 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1648, published on 2026-03-21, is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the Performance Monitor plugin for WordPress, affecting all versions up to and including 1.0.6. The flaw arises from insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint, allowing servers to be tricked into making unauthorized requests. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. They can force the WordPress server to issue web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This SSRF can be chained with services like Redis to achieve remote code execution.

Advisories and references, including Wordfence threat intelligence and code excerpts from the plugin's trac repository (e.g., class-curl.php line 50 and class-rest-callback.php line 168), detail the vulnerable endpoint and parameter handling. Assetnote's GitHub repository on blind SSRF chains provides additional context on exploitation techniques involving such vulnerabilities.

EU & UK References

Vulnerability details

The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible…

more

for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing WordPress plugin directly enables exploitation of the application (T1190) and chaining to RCE on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient validation of the 'url' parameter in the REST API endpoint by requiring validation of inputs to prevent SSRF exploitation.

prevent

Enforces information flow control policies to block unauthorized server-initiated requests to internal services or dangerous protocols like Gopher.

preventdetect

Provides boundary protection to monitor and control outbound connections from the web server, mitigating SSRF attempts to arbitrary or internal destinations.

References