{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39521", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:03.414Z", "datePublished": "2026-04-08T08:30:16.011Z", "dateUpdated": "2026-04-08T08:30:16.011Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "nelio-content", "product": "Nelio Content", "vendor": "Nelio Software", "versions": [{"changes": [{"at": "4.3.2", "status": "unaffected"}], "lessThanOrEqual": "4.3.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:59.829Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.<p>This issue affects Nelio Content: from n/a through <= 4.3.1.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:16.011Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-3-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Nelio Content plugin <= 4.3.1 - Server Side Request Forgery (SSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1."}], "id": "CVE-2026-39521", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:25.793", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-3-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Nelio Content", "source": "cna", "vendor": "Nelio Software"}, "product": "nelio_content", "vendor": "nelio_software"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:54:22.289785+00:00", "value": {"mitigation_remediation": ["Update the Nelio Content plugin to a version newer than 4.3.1.", "If an update is not immediately possible, disable or uninstall the Nelio Content plugin from the WordPress installation.", "Consult Nelio Software\u2019s website or the patchstack advisory for the latest patches or remediation advice."], "summary": {"action": "Patch Now", "impact": "Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected vendor is Nelio Software, specifically the Nelio Content plugin for WordPress. Vulnerable releases include any version from the original release through version 4.3.1, inclusive. No further version or build details are specified in the CNA data.", "description_and_impact": "Nelio Content plugin for WordPress contains a Server Side Request Forgery vulnerability in all releases up through version 4.3.1. An exploited flaw allows an attacker to instruct the plugin to send arbitrary HTTP requests from the server, which can be used to access internal networks, gather sensitive information, and potentially pivot to other systems.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS score is unavailable; thus the quantified severity and likelihood of exploitation are unknown. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. According to the description, exploitation requires the plugin to be installed and functional on a WordPress site; no explicit requirement for authentication is stated, so the likely attack vector involves usage of the plugin's capabilities through the WordPress administration interface or front\u2011end pages. If an attacker can trigger the SSRF, they could force requests to internal services, potentially exposing data or enabling further attacks."}}}}, "created": "2026-04-08T19:30:28.767987+00:00", "updated": "2026-04-08T19:42:45.473983+00:00", "vendors": ["nelio_software", "nelio_software$PRODUCT$nelio_content", "wordpress", "wordpress$PRODUCT$wordpress"]}