The fediverse-embeds WordPress plugin registered an unauthenticated REST API endpoint 'ftf/media-proxy' which accepted a base64-encoded URL parameter. This URL was passed directly to wp_remote_get() without enforcing an allowlist or proper validation, despite a comment in the source code indicating such validation was intended. The plugin only set a local flag indicating permission to download media, but this flag was never used to block requests. Consequently, any anonymous visitor could use this endpoint as an open proxy to retrieve the full response body from arbitrary URLs, constituting a full-read SSRF vulnerability. This vulnerability was fixed in version 1.5.8.

An attacker can exploit this SSRF vulnerability to make the server perform arbitrary HTTP requests to internal or external resources and retrieve the full response body. This can lead to unauthorized disclosure of sensitive information accessible to the server, potentially including internal network resources or protected services. The vulnerability does not allow modification of data or denial of service but poses a significant confidentiality risk.

This vulnerability has been patched in fediverse-embeds WordPress plugin version 1.5.8. Users should upgrade to version 1.5.8 or later to remediate this issue. No other mitigation is required once the plugin is updated.