CVE-2026-12100: CWE-918 Server-Side Request Forgery (SSRF) in abhisheksaha11 URL Preview
The URL Preview plugin for WordPress, developed by abhisheksaha11, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-12100. This vulnerability affects all versions up to and including 1.0 via the 'url' parameter, allowing unauthenticated attackers to make arbitrary web requests from the server. Exploitation can lead to querying and modifying internal services. The vulnerability has a high severity with a CVSS score of 7.2. No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
CVE-2026-12100 is a Server-Side Request Forgery (SSRF) vulnerability in the URL Preview WordPress plugin by abhisheksaha11. It affects all versions up to and including 1.0 through the 'url' parameter, enabling unauthenticated attackers to induce the server to make arbitrary HTTP requests. This can be leveraged to access or manipulate internal services that are otherwise inaccessible externally. The vulnerability is publicly known and assigned a CVSS 3.1 base score of 7.2, indicating high severity. No vendor advisory or patch is currently available, and there are no known exploits in the wild.
Potential Impact
An attacker can exploit this SSRF vulnerability to make the vulnerable server send arbitrary HTTP requests to internal or external systems. This can lead to unauthorized information disclosure and modification of internal services. The vulnerability does not directly allow remote code execution or denial of service but can be a stepping stone for further attacks within the internal network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the URL Preview plugin if it is not essential. Additionally, restricting outbound HTTP requests from the web server at the network level may help mitigate exploitation risks.
CVE-2026-12100: CWE-918 Server-Side Request Forgery (SSRF) in abhisheksaha11 URL Preview
Description
The URL Preview plugin for WordPress, developed by abhisheksaha11, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-12100. This vulnerability affects all versions up to and including 1.0 via the 'url' parameter, allowing unauthenticated attackers to make arbitrary web requests from the server. Exploitation can lead to querying and modifying internal services. The vulnerability has a high severity with a CVSS score of 7.2. No official patch or remediation guidance is currently available from the vendor.
CVSS v3.1
Score 7.2high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12100 is a Server-Side Request Forgery (SSRF) vulnerability in the URL Preview WordPress plugin by abhisheksaha11. It affects all versions up to and including 1.0 through the 'url' parameter, enabling unauthenticated attackers to induce the server to make arbitrary HTTP requests. This can be leveraged to access or manipulate internal services that are otherwise inaccessible externally. The vulnerability is publicly known and assigned a CVSS 3.1 base score of 7.2, indicating high severity. No vendor advisory or patch is currently available, and there are no known exploits in the wild.
Potential Impact
An attacker can exploit this SSRF vulnerability to make the vulnerable server send arbitrary HTTP requests to internal or external systems. This can lead to unauthorized information disclosure and modification of internal services. The vulnerability does not directly allow remote code execution or denial of service but can be a stepping stone for further attacks within the internal network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the URL Preview plugin if it is not essential. Additionally, restricting outbound HTTP requests from the web server at the network level may help mitigate exploitation risks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-12T14:20:00.585Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7811eed863c81e5f71f3
Added to database: 06/24/2026, 06:24:17 UTC
Last enriched: 06/24/2026, 06:54:05 UTC
Last updated: 06/24/2026, 07:30:37 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.