CVE-2026-5737: CWE-918 Server-Side Request Forgery (SSRF) in bensibley Independent Analytics – WordPress Analytics Plugin
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.
AI Analysis
Technical Summary
CVE-2026-5737 is a Server-Side Request Forgery vulnerability in the Independent Analytics WordPress plugin (up to version 2.14.9). The vulnerability stems from a public API route (/wp-json/iawp/search) that accepts referrer_url parameters validated by a signature embedded in publicly accessible JavaScript, with a static salt per site. This weak signature validation allows attackers to obtain valid signatures and inject malicious referrer domains into the plugin's database. A scheduled favicon fetcher then performs unrestricted cURL requests to these stored domains without SSRF protections such as localhost blocking or private network filtering. This enables unauthenticated attackers to cause the server to make arbitrary HTTP requests, potentially targeting internal services or other unintended hosts. The vulnerability is rated medium severity with a CVSS 3.1 score of 6.5. No patch or official remediation has been disclosed as of the publication date.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to cause the server hosting the Independent Analytics plugin to make arbitrary HTTP requests to attacker-controlled or internal network hosts. This can lead to information disclosure or interaction with internal services that are not otherwise accessible externally. The impact is limited to confidentiality and integrity with no direct availability impact reported. The vulnerability does not require user interaction or privileges.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the Independent Analytics plugin if possible. Monitoring for unusual outbound requests from the server may help detect exploitation attempts, but no specific mitigation is provided by the vendor at this time.
CVE-2026-5737: CWE-918 Server-Side Request Forgery (SSRF) in bensibley Independent Analytics – WordPress Analytics Plugin
Description
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5737 is a Server-Side Request Forgery vulnerability in the Independent Analytics WordPress plugin (up to version 2.14.9). The vulnerability stems from a public API route (/wp-json/iawp/search) that accepts referrer_url parameters validated by a signature embedded in publicly accessible JavaScript, with a static salt per site. This weak signature validation allows attackers to obtain valid signatures and inject malicious referrer domains into the plugin's database. A scheduled favicon fetcher then performs unrestricted cURL requests to these stored domains without SSRF protections such as localhost blocking or private network filtering. This enables unauthenticated attackers to cause the server to make arbitrary HTTP requests, potentially targeting internal services or other unintended hosts. The vulnerability is rated medium severity with a CVSS 3.1 score of 6.5. No patch or official remediation has been disclosed as of the publication date.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to cause the server hosting the Independent Analytics plugin to make arbitrary HTTP requests to attacker-controlled or internal network hosts. This can lead to information disclosure or interaction with internal services that are not otherwise accessible externally. The impact is limited to confidentiality and integrity with no direct availability impact reported. The vulnerability does not require user interaction or privileges.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the Independent Analytics plugin if possible. Monitoring for unusual outbound requests from the server may help detect exploitation attempts, but no specific mitigation is provided by the vendor at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-07T13:36:41.592Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a182817e29bf47b50de656c
Added to database: 5/28/2026, 11:33:43 AM
Last enriched: 5/28/2026, 11:48:53 AM
Last updated: 5/29/2026, 6:22:32 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.