Server-Side Request Forgery in WordPress URL Preview Plugin
CVE-2026-12100

7.2HIGH

Key Information:

Vendor: WordPress
Status: Url Preview
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-12100?

The URL Preview plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF), causing security risks in all versions up to and including 1.0. This vulnerability arises from improper handling of the 'url' parameter, enabling unauthenticated attackers to exploit the web application for making arbitrary web requests. Consequently, malicious users can potentially query and manipulate information from internal services, posing a significant risk to site integrity and data confidentiality.

Affected Version(s)

URL Preview 0 <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/link-preview/t...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

YU-SHENG YU

CVE-2026-12100 Data

JSON