Primary

Context

Performance Monitor WordPress Plugin Unauthenticated Server-Side Request Forgery Vulnerability

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Performance Monitor WordPress plugin, affecting versions through 1.0.6. The vulnerability arises because the plugin does not properly validate a parameter before making a request, allowing unauthenticated users to exploit this oversight.

Impact

Exploitation of this vulnerability could lead to unauthorized server-side request forgery, allowing attackers to make requests from the server to internal resources or external services.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site's REST API endpoint for the Performance Monitor plugin, specifically the 'curl_data' route. Include a 'url' parameter with a value that points to an internal resource or service, such as 'http://127.0.0.1:8282'.

Added: Mar 31, 2026, 7:18 AM

Updated: Mar 31, 2026, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.4

exploitability

8.2

remediation

0.0

relevance

5.0

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.4

exploitability

8.2

remediation

0.0

relevance

5.0

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Performance Monitor WordPress Plugin Unauthenticated Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating