What the vulnerability does
01Description
Server-Side Request Forgery (SSRF) vulnerability in Alobaidi Extend Link extend-link allows Server Side Request Forgery.This issue affects Extend Link: from n/a through <= 2.0.0.
CVE-2026-25310
MEDIUM
CVE-2026-25310: WordPress Extend Link plugin <= 2.0.0 - Server Side Request Forgery (SSRF) vulnerability
CVSS base score
4.9/10
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Extend Link versions 2.0.0 and earlier contain a server-side request forgery vulnerability. An authenticated attacker with low privileges can make the site send HTTP requests to internal or external systems on their behalf. The impact is limited to reading non-sensitive data and making minor modifications. No user interaction is required.
What an attacker can do
03Attacker Capabilities
Make the site send HTTP requests to internal systems or external URLs to read data or trigger actions.
Potential impact on your site
04Site Impact
Authenticated users can probe your internal network, access cloud metadata endpoints, or interact with external services via your site.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site. Network access to the site is required.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2026-39974 n8n-MCP has an Authenticated SSRF via instance-URL header in multi-tenant HTTP mode
CVE-2026-44286 FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation
CVE-2024-36448 Apache IoTDB Workbench: SSRF Vulnerability (EOL)
CVE-2022-2352 Post SMTP < 2.1.7 - Admin+ Blind SSRF
CVE-2021-38135 Possible External service interaction Vulnerability in OpenText iManager
