CVE-2026-24548
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in the Prince Radio Player WordPress plugin allows attackers to make unauthorized requests from the vulnerable server to internal or external systems. It affects all WordPress sites running Radio Player plugin versions up to and including 2.0.91. Attackers can potentially access internal services, bypass firewalls, or interact with cloud metadata services.
💻 Affected Systems
- Prince Radio Player WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through chained attacks, data exfiltration from internal services, or cloud metadata exploitation leading to privilege escalation.
Likely Case
Internal network reconnaissance, access to internal HTTP services, or interaction with cloud metadata APIs.
If Mitigated
Limited to port scanning internal services or minimal information disclosure if proper network segmentation exists.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and require minimal technical skill. The vulnerability is in a WordPress plugin, making automated exploitation likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: >2.0.91
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Radio Player' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository.
🔧 Temporary Workarounds
Network Restriction
linuxRestrict outbound HTTP requests from web server to only necessary destinations
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -d allowed.domain.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -d allowed.domain.com -j ACCEPT
WAF Rule
allImplement Web Application Firewall rules to block SSRF patterns
ModSecurity rule: SecRule ARGS "@rx (127\.0\.0\.1|localhost|169\.254\.169\.254|metadata\.google|169\.254\.169\.254)" "id:1001,phase:2,deny,status:403,msg:'SSRF Attempt'"
🧯 If You Can't Patch
- Immediately deactivate and remove the Radio Player plugin from all WordPress installations
- Implement strict network egress filtering to block web server outbound requests to internal IP ranges and cloud metadata endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version: In WordPress admin, go to Plugins > Installed Plugins and verify Radio Player version is <=2.0.91Check Version:
wp plugin list --name=radio-player --field=versionVerify Fix Applied:
Confirm Radio Player plugin version is >2.0.91 in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IP addresses
- Requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal)
- Multiple failed HTTP requests to different internal ports
Network Indicators:
- Web server making HTTP requests to internal network segments
- Traffic to cloud provider metadata services from web application
SIEM Query:
source="web_server_logs" AND (dest_ip=~"10.*" OR dest_ip=~"172.16.*" OR dest_ip=~"192.168.*" OR dest_ip="127.0.0.1" OR dest_ip="169.254.169.254")