Server-Side Request Forgery Vulnerability in Independent Analytics Plugin for WordPress
CVE-2026-5737

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Independent Analytics – WordPress Analytics Plugin
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-5737?

The Independent Analytics plugin for WordPress is susceptible to a Server-Side Request Forgery (SSRF) vulnerability present in all versions up to and including 2.14.9. This vulnerability arises from a public tracking route at /wp-json/iawp/search that accepts input from attacker-controlled referrer_url values, combined with a favicon fetcher that engages in unrestricted cURL requests to various domains. The signature verification process is flawed as it utilizes publicly accessible JavaScript, allowing attackers to discover valid signatures, since the salt used is static per site. The absence of protective mechanisms in the favicon downloader allows for unauthenticated attackers to manipulate referrer domains in the database, consequently enabling unauthorized server-side requests to arbitrary hosts, including internal services.

Affected Version(s)

Independent Analytics – WordPress Analytics Plugin 0 <= 2.14.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/independent-an...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Kirasec

CVE-2026-5737 Data

JSON