CVE-2026-3478

High

Published: 21 March 2026

Published

21 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0015 35.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3478 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the lack of validation on the $_GET['url'] parameter by requiring input validation to reject arbitrary or internal URLs, preventing SSRF exploitation.

AC-4 Information Flow Enforcement good match

prevent

Enforces information flow control policies that restrict the WordPress server from originating requests to unauthorized internal services, ports, or cloud metadata endpoints via the vulnerable proxy.

SC-7 Boundary Protection good match

prevent

Implements boundary protections like firewalls or WAFs to monitor and block outbound requests from the web server to internal networks, enabling port scanning or metadata access prevention.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

T1522 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

T1552.005 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

SSRF in unauthenticated public WordPress endpoint directly enables remote exploitation of a public-facing app (T1190); the proxy allows internal port scanning/service enumeration (T1046) and direct interaction with cloud instance metadata for credential discovery (T1522/T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux_p AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint (wp_ajax_nopriv_redux_p) that is…

accessible to unauthenticated users. The proxy() method in the Redux_P class takes a URL directly from $_GET['url'] without any validation (the regex is set to /.*/ which matches all URLs) and passes it to wp_remote_request(), which does not have built-in SSRF protection like wp_safe_remote_request(). There is no authentication check, no nonce verification, and no URL restriction. The response from the requested URL is then returned to the attacker, making this a full-read SSRF. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal network ports, or interact with cloud metadata endpoints.

Deeper analysisAI

CVE-2026-3478 is a Server-Side Request Forgery (SSRF) vulnerability in the Content Syndication Toolkit plugin for WordPress, affecting all versions up to and including 1.3. The flaw exists in the redux_p AJAX action within the bundled ReduxFramework library, where the plugin registers a proxy endpoint named wp_ajax_nopriv_redux_p that is accessible to unauthenticated users. The proxy() method in the Redux_P class directly accepts a URL from the $_GET['url'] parameter without validation—using a regex pattern of /.*/ that matches any URL—and forwards it to wp_remote_request(), which lacks built-in SSRF protections like those in wp_safe_remote_request(). There are no authentication checks, nonce verification, or URL restrictions in place.

Unauthenticated attackers can exploit this vulnerability by sending requests to the proxy endpoint with an arbitrary URL in the $_GET['url'] parameter. The server then fetches the response from the target URL and returns it to the attacker, enabling full-read SSRF. This allows attackers to originate web requests from the vulnerable WordPress server to internal network locations, query or modify data on internal services, scan for open ports, or interact with cloud metadata endpoints. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-918: Server-Side Request Forgery.

References for CVE-2026-3478 link to source code in the WordPress plugin trac repository, specifically lines in inc/ReduxFramework/ReduxCore/inc/class.p.php for tags/1.3 and trunk versions, including lines 161, 219, and 7, which illustrate the vulnerable proxy endpoint registration and URL handling logic. No patch or mitigation details are provided in the available references.