Unauthenticated AJAX Vulnerability in Fediverse Embeds for WordPress
CVE-2026-46698
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 June 2026
What is CVE-2026-46698?
The Fediverse Embeds plugin for WordPress previously allowed an unauthenticated AJAX action that could be exploited by attackers. Specifically, prior to version 1.5.9, it registered the AJAX action 'wp_ajax_nopriv_ftf_get_site_info', which utilized a nonce token meant for security verification. However, this nonce was accessible to any visitor of public pages featuring a fediverse embed, allowing malicious users to reuse it without authentication. By doing so, they could initiate actions using attacker-supplied URLs, compromising site integrity. This vulnerability has been resolved in version 1.5.9, necessitating updates to ensure site security.
Affected Version(s)
fediverse-embeds-wordpress-plugin < 1.5.9