The Performance Monitor WordPress plugin versions through 1.0.6 contain a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) because it fails to validate a parameter before making a request to it. This allows unauthenticated attackers to induce the server to send requests to arbitrary locations, potentially exposing internal resources or services. The CVSS 3.1 base score is 5.8 (medium), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact. No patch or vendor advisory is currently provided, and no known exploits are reported in the wild.

An unauthenticated attacker can exploit this SSRF vulnerability to cause the server to make arbitrary requests, which may lead to limited confidentiality loss by accessing internal or protected resources. There is no direct impact on integrity or availability reported. The vulnerability is rated medium severity with a CVSS score of 5.8.

No official patch or remediation is currently available for this vulnerability. Users of the Performance Monitor plugin should monitor the vendor's advisories for updates and apply any forthcoming patches promptly. Until a fix is released, consider restricting network access from the server to sensitive internal resources as a temporary mitigation.