CVE-2026-5737 MEDIUM

CVE-2026-5737: Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Tracking Route

Vendor Bensibley
Product Independent Analytics – WordPress Analytics Plugin
Weakness CWE-918 · SSRF
Published May 28, 2026
Last update May 28, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.

Explanation of Vulnerability in Simple Terms

02Summary

Independent Analytics versions 2.14.9 and earlier contain a server-side request forgery vulnerability. An unauthenticated attacker can make the plugin send HTTP requests to internal or external systems on behalf of the site. This could expose sensitive data or allow interaction with services that should be restricted to the site itself.

What an attacker can do

03Attacker Capabilities

Make the site send HTTP requests to internal systems or external URLs without authorization.

Potential impact on your site

04Site Impact

Attackers can probe your internal network, access metadata services, or interact with restricted APIs using your site's IP address.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-15414 go-sonic Theme Fetching API git_fetcher.go FetchTheme server-side request forgery CVE-2022-2556 MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF CVE-2026-1249 MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery CVE-2026-48153 Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata CVE-2024-32819 WordPress Culqi plugin <= 3.0.14 - Server Side Request Forgery (SSRF) vulnerability