– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-0807:
The Frontis Blocks WordPress plugin contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 1.1.6. The vulnerability exists in the plugin’s template proxy functionality, allowing attackers to force the server to make arbitrary HTTP requests to internal or external systems. This vulnerability carries a CVSS score of 7.2, indicating high severity.

The root cause is insufficient input validation and access control in the `template_proxy` function. Atomic Edge research identified that the function accepts a user-controlled ‘url’ parameter without proper validation. The vulnerable code resides in the main plugin file `frontis-blocks.php` where the function `template_proxy()` processes the ‘url’ parameter directly from the `$_GET` or `$_REQUEST` superglobal. The plugin registers two endpoints via `add_rewrite_rule()`: ‘/template-proxy/’ and ‘/proxy-image/’, both of which route to this vulnerable function.

Exploitation requires sending HTTP requests to either the ‘/template-proxy/’ or ‘/proxy-image/’ endpoints with a malicious ‘url’ parameter. Attackers can use GET requests like `http://target.site/wp-content/plugins/frontis-blocks/template-proxy/?url=http://internal-service.local` or `http://target.site/proxy-image/?url=file:///etc/passwd`. The plugin fetches the specified URL and returns its content, enabling attackers to probe internal networks, access local files via file:// protocol, or interact with cloud metadata services.

The patch adds multiple security controls. It introduces a nonce check via `wp_verify_nonce()` to ensure requests originate from authenticated users. The fix also implements URL validation using `wp_http_validate_url()` to restrict requests to specific allowed domains and protocols. Additionally, the patch adds capability checks with `current_user_can()` to verify user permissions before processing proxy requests. These changes collectively prevent unauthenticated access and restrict URL fetching to legitimate, whitelisted sources.

Successful exploitation enables attackers to perform internal network reconnaissance, access sensitive internal services, read local files via file:// protocol, and potentially interact with cloud metadata endpoints. This can lead to information disclosure, internal service enumeration, and serve as a stepping stone for further attacks against internal infrastructure. The vulnerability could also facilitate blind SSRF attacks to interact with services on localhost or internal networks that are otherwise inaccessible from the internet.