Server-Side Request Forgery Vulnerability in Kargo Takip Plugin for WordPress
CVE-2026-12095

7.2HIGH

Key Information:

Vendor: WordPress
Status: Kargo Takip
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-12095?

The Kargo Takip plugin for WordPress is vulnerable to a Server-Side Request Forgery (SSRF) attack due to improper validation of the 'api_url' parameter. This vulnerability exists in all versions up to and including 1.2, allowing unauthenticated attackers to initiate web requests to arbitrary locations from the web application. The exploitation of this flaw can enable attackers to query and manipulate information from internal services, as the script reveals internal API responses, specifically data associated with the 'auth' key in JSON responses. This exposure can lead to significant security risks, including the exfiltration of sensitive information from internal services, such as cloud instance metadata endpoints.

Affected Version(s)

Kargo Takip 0 <= 1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/kargo-takip/tr...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

YU-SHENG YU

CVE-2026-12095 Data

JSON