CVE-2026-1648
Published: 21 March 2026
Summary
CVE-2026-1648 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1648, published on 2026-03-21, is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the Performance Monitor plugin for WordPress, affecting all versions up to and including 1.0.6. The flaw arises from insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint, allowing servers to be tricked into making unauthorized requests. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. They can force the WordPress server to issue web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This SSRF can be chained with services like Redis to achieve remote code execution.
Advisories and references, including Wordfence threat intelligence and code excerpts from the plugin's trac repository (e.g., class-curl.php line 50 and class-rest-callback.php line 168), detail the vulnerable endpoint and parameter handling. Assetnote's GitHub repository on blind SSRF chains provides additional context on exploitation techniques involving such vulnerabilities.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14167
Vulnerability details
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible…
more
for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing WordPress plugin directly enables exploitation of the application (T1190) and chaining to RCE on the server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient validation of the 'url' parameter in the REST API endpoint by requiring validation of inputs to prevent SSRF exploitation.
Enforces information flow control policies to block unauthorized server-initiated requests to internal services or dangerous protocols like Gopher.
Provides boundary protection to monitor and control outbound connections from the web server, mitigating SSRF attempts to arbitrary or internal destinations.