← volver
CVE-2025-9975

WP Scraper <= 5.8.1 - Authenticated (Administrator+) Server-Side Request Forgery

CVSS 6.8 MEDIUMEPSS 0.3%CWE-918
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.8EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
11 oct 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The WP Scraper plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.8.1 via the wp_scraper_extract_content function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Productos afectados
rico-macchi · WP Scraper