cleantalk
Vulnerabilities and Security Researches

Kargo Takip, CVE-2026-12095

CVE, Research URL

CVE-2026-12095

Home page URL

Security reports for Kargo Takip

Application

Kargo Takip

Published on
Jun 24, 2026
Research Description
The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints.
Affected versions
max 1.2.
Status
vulnerable
Previous vulnerability researches
WordPress Tooltip (CVE-2025-46532) , Apr 26, 2025
New vulnerability
Infility Global (CVE-2026-7842) , Jun 25, 2026
Infility Global (CVE-2026-8163) , Jun 25, 2026
Motors – Car Dealer, Classifieds & Listing (CVE-2026-54828) , Jun 25, 2026
130+ Widgets | Best Addons For Elementor – FREE (CVE-2026-11614) , Jun 25, 2026
MIR blocks and shortcodes (CVE-2026-8896) , Jun 25, 2026