CVE-2026-46698
MEDIUMDescription
Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9.
Is your site exposed to CVE-2026-46698?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-46698? +
How severe is CVE-2026-46698? +
How do I check if I'm vulnerable to CVE-2026-46698? +
Related Vulnerabilities
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) …
pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable …
FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers …
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability …
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary …
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through …