The qrolic Performance Monitor plugin for WordPress contains a critical SSRF vulnerability (CVE-2026-1648) affecting all versions up to 1.0.6. The flaw exists due to inadequate validation of the 'url' parameter in the REST API endpoint '/wp-json/performance-monitor/v1/curl_data'. This endpoint accepts URLs without proper sanitization, enabling unauthenticated attackers to craft requests that the server will execute internally. Attackers can exploit this to send requests to arbitrary internal or external resources, including those accessible only within the internal network. Notably, the vulnerability supports dangerous protocols such as Gopher, which can be used to interact with backend services like Redis. By chaining SSRF with Redis commands, attackers may achieve Remote Code Execution on the hosting server. The vulnerability does not require any privileges or user interaction, increasing its risk. While no public exploits have been reported yet, the potential for severe impact is high given the ease of exploitation and the possibility of RCE. The vulnerability is classified under CWE-918 (SSRF), and the CVSS v3.1 base score is 7.2 (High), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and partial confidentiality and integrity impact.

If exploited, this vulnerability allows attackers to perform unauthorized internal network scanning and access, potentially reaching sensitive internal services that are not exposed externally. The ability to use the Gopher protocol to interact with services like Redis can lead to Remote Code Execution, allowing full compromise of the affected WordPress server. This can result in data theft, service disruption, or use of the compromised server as a pivot point for further attacks within the network. The impact extends beyond confidentiality to integrity, as attackers can manipulate internal services or data. Given the plugin's integration with WordPress, a widely used CMS, many organizations could be exposed, especially those relying on this plugin for performance monitoring. The lack of authentication and user interaction requirements increases the likelihood of automated exploitation attempts once public exploit code becomes available.

1. Immediate mitigation involves disabling or uninstalling the qrolic Performance Monitor plugin until a patched version is released. 2. If disabling is not feasible, restrict access to the vulnerable REST API endpoint via web application firewalls (WAFs) or reverse proxies by blocking or filtering requests to '/wp-json/performance-monitor/v1/curl_data'. 3. Implement network segmentation and firewall rules to limit the WordPress server's ability to initiate outbound connections to internal services, especially blocking protocols like Gopher. 4. Monitor logs for unusual outbound requests originating from the WordPress server, particularly to internal IP ranges or uncommon protocols. 5. Once available, promptly apply vendor patches addressing this vulnerability. 6. Conduct internal scans to detect any signs of compromise or lateral movement stemming from this vulnerability. 7. Educate administrators about the risks of SSRF and the importance of validating user-supplied URLs in plugins and custom code.