The Content Syndication Toolkit plugin for WordPress, developed by benmoody, contains a critical SSRF vulnerability identified as CVE-2026-3478. This vulnerability exists in all versions up to and including 1.3 within the bundled ReduxFramework library. Specifically, the plugin registers an unauthenticated AJAX endpoint (wp_ajax_nopriv_redux_p) that acts as a proxy, accepting a URL parameter via $_GET['url']. The proxy() method in the Redux_P class forwards this URL directly to wp_remote_request() without any validation or filtering, as the regex used is /.*/, which matches all URLs. Unlike wp_safe_remote_request(), wp_remote_request() does not provide SSRF protections, allowing an attacker to induce the server to make arbitrary HTTP requests. Since there is no authentication or nonce verification, any unauthenticated user can exploit this endpoint. The server’s response to the requested URL is returned to the attacker, enabling full-read SSRF capabilities. This can be leveraged to access internal network resources, query cloud provider metadata services (such as AWS or GCP metadata endpoints), or perform internal port scans. The vulnerability’s CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, with a scope change and partial confidentiality and integrity impact but no availability impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on March 3, 2026, and published on March 21, 2026.

This SSRF vulnerability poses a significant risk to organizations using the Content Syndication Toolkit plugin on WordPress sites. Attackers can exploit it remotely without authentication or user interaction, enabling them to make arbitrary HTTP requests from the vulnerable server. This can lead to unauthorized access to internal services that are otherwise inaccessible externally, such as internal APIs, databases, or administrative interfaces. Additionally, attackers can query cloud metadata endpoints to harvest sensitive credentials or tokens, potentially leading to full cloud environment compromise. Internal network reconnaissance and port scanning can facilitate further lateral movement or targeted attacks. The confidentiality and integrity of internal systems and data are at risk, though availability is not directly impacted. Given WordPress’s widespread use globally, the vulnerability could affect a large number of websites, especially those running this plugin. The lack of existing public exploits reduces immediate risk but does not diminish the urgency for mitigation, as SSRF vulnerabilities are commonly leveraged in multi-stage attacks.

Organizations should immediately audit their WordPress installations to identify the presence of the Content Syndication Toolkit plugin and its version. Since no official patch links are currently available, temporary mitigations include disabling or removing the plugin until a secure update is released. If disabling is not feasible, restrict access to the vulnerable AJAX endpoint (wp_ajax_nopriv_redux_p) via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. Implement network segmentation to limit the server’s ability to reach sensitive internal services or cloud metadata endpoints. Monitor outgoing HTTP requests from the web server for suspicious activity. Developers maintaining the plugin should update the proxy() method to validate and restrict URLs strictly, use wp_safe_remote_request() instead of wp_remote_request(), and enforce authentication and nonce verification on the AJAX endpoint. Regularly update WordPress plugins and monitor vulnerability disclosures for patches. Employ runtime application self-protection (RASP) or intrusion detection systems (IDS) to detect anomalous SSRF exploitation attempts.