{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39695", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:16.464Z", "datePublished": "2026-04-08T08:30:45.786Z", "dateUpdated": "2026-04-08T08:30:45.786Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "podigee", "product": "Podigee", "vendor": "podigee", "versions": [{"lessThanOrEqual": "1.4.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:44.215Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.<p>This issue affects Podigee: from n/a through <= 1.4.0.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:45.786Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/podigee/vulnerability/wordpress-podigee-plugin-1-4-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Podigee plugin <= 1.4.0 - Server Side Request Forgery (SSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0."}], "id": "CVE-2026-39695", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:41.910", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/podigee/vulnerability/wordpress-podigee-plugin-1-4-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Podigee", "source": "cna", "vendor": "podigee"}, "product": "podigee", "vendor": "podigee"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:44:00.135816+00:00", "value": {"mitigation_remediation": ["Update the Podigee plugin to the latest available version that addresses SSRF; verify with the vendor or reputable sources that the issue is resolved.", "If an update is not available or the plugin is unnecessary, remove or disable it from the WordPress installation.", "Configure a web application firewall to detect and block suspicious outbound requests that may be triggered by the plugin.", "Limit outbound traffic from the web server using firewall rules or network segmentation to reduce the impact of any residual SSRF exposure."], "summary": {"action": "Immediate Patch", "impact": "Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Any WordPress site that uses the Podigee plugin version 1.4.0 or earlier is impacted. The plugin is distributed by Podigee and is available from its earliest releases up to version 1.4.0, with no known further variants supplied.", "description_and_impact": "The vulnerability is a Server Side Request Forgery (SSRF) flaw in the Podigee WordPress plugin. It allows an attacker to make the web server initiate arbitrary HTTP requests to internal or external resources. Such requests can reveal sensitive data, enable further server compromise, or facilitate internal network reconnaissance, depending on the targets accessed.", "risk_and_exploitability": "The publicly available severity metrics are incomplete; no CVSS score is listed and EPSS data is not provided, and the vulnerability is not included in the CISA KEV catalog. The likely attack vector is remote, with an attacker crafting a malicious HTTP request to the WordPress site to exploit the plugin\u2019s request handling. Exploitation requires the target to be accessible over the network and for the vulnerable plugin to be present and processing untrusted input. The risk is significant for exposed WordPress installations, as SSRF can lead to a wide range of malicious outcomes whenever unvalidated outbound requests are permitted."}}}}, "created": "2026-04-08T19:27:39.925436+00:00", "updated": "2026-04-08T19:40:24.911836+00:00", "vendors": ["podigee", "podigee$PRODUCT$podigee", "wordpress", "wordpress$PRODUCT$wordpress"]}