VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 46 of 80
  • CVE-2025-14627MedJan 1, 2026
    risk 0.35cvss 6.4epss 0.00

    The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the…

  • CVE-2025-62088MedDec 31, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site wp_scraper allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through <=…

  • CVE-2025-67623MedDec 24, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery.This issue affects 6Storage Rentals: from n/a through <= 2.22.0.

  • CVE-2025-14443MedDec 16, 2025
    risk 0.35cvss 6.4epss 0.00

    A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range…

  • CVE-2025-67989MedDec 16, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3.

  • CVE-2025-13378MedNov 27, 2025
    risk 0.35cvss 6.5epss 0.00

    The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web…

  • CVE-2025-12800MedNov 23, 2025
    risk 0.35cvss 6.4epss 0.00

    The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level…

  • CVE-2025-12359MedNov 19, 2025
    risk 0.35cvss 5.4epss 0.00

    The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the 'get_image_size_by_url' function. This is due to insufficient validation of user-supplied URLs when determining image…

  • CVE-2025-12388MedNov 5, 2025
    risk 0.35cvss 6.4epss 0.00

    The B Carousel Block – Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wp_remote_request()…

  • CVE-2025-11917MedNov 5, 2025
    risk 0.35cvss 6.4epss 0.00

    The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematico_test_feed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…

  • CVE-2025-49374MedOct 22, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in captcha.eu Captcha.eu captcha-eu allows Server Side Request Forgery.This issue affects Captcha.eu: from n/a through <= 1.0.61.

  • CVE-2025-60181MedSep 26, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Server Side Request Forgery.This issue affects Silencesoft RSS Reader: from n/a through <= 0.6.

  • CVE-2025-60161MedSep 26, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks zoloblocks allows Server Side Request Forgery.This issue affects ZoloBlocks: from n/a through <= 2.3.11.

  • CVE-2025-10137MedSep 26, 2025
    risk 0.35cvss 5.4epss 0.00

    The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web…

  • CVE-2025-58005MedSep 22, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft DriCub dricub-driving-school allows Server Side Request Forgery.This issue affects DriCub: from n/a through <= 2.9.

  • CVE-2025-58641MedSep 3, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in kamleshyadav Exit Intent Popup exitintentpopup allows Server Side Request Forgery.This issue affects Exit Intent Popup: from n/a through <= 1.0.1.

  • CVE-2025-25229MedAug 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Omnissa Workspace ONE UEM contains a Server-Side Request Forgery (SSRF) Vulnerability. A malicious actor with user privileges may be able to access restricted internal system information, potentially enabling enumeration of internal network resources.

  • CVE-2025-28963MedJul 4, 2025
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Server Side Request Forgery.This issue affects URL Shortener: from n/a through <= 3.0.7.

  • CVE-2024-51981MedJun 25, 2025
    risk 0.35cvss 5.3epss 0.01

    An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The…

  • CVE-2024-51980MedJun 25, 2025
    risk 0.35cvss 5.3epss 0.01

    An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port…