CWE-918
Server-Side Request Forgery (SSRF)
Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-664
CVEs mapped to this weakness (1,583)
page 46 of 80| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-14627 | Med | 0.35 | 6.4 | 0.00 | Jan 1, 2026 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the… | ||
| CVE-2025-62088 | Med | 0.35 | 5.4 | 0.00 | Dec 31, 2025 | Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site wp_scraper allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through <=… | ||
| CVE-2025-67623 | Med | 0.35 | 5.4 | 0.00 | Dec 24, 2025 | Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery.This issue affects 6Storage Rentals: from n/a through <= 2.22.0. | ||
| CVE-2025-14443 | Med | 0.35 | 6.4 | 0.00 | Dec 16, 2025 | A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range… | ||
| CVE-2025-67989 | Med | 0.35 | 5.4 | 0.00 | Dec 16, 2025 | Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3. | ||
| CVE-2025-13378 | Med | 0.35 | 6.5 | 0.00 | Nov 27, 2025 | The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web… | ||
| CVE-2025-12800 | Med | 0.35 | 6.4 | 0.00 | Nov 23, 2025 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level… | ||
| CVE-2025-12359 | Med | 0.35 | 5.4 | 0.00 | Nov 19, 2025 | The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the 'get_image_size_by_url' function. This is due to insufficient validation of user-supplied URLs when determining image… | ||
| CVE-2025-12388 | Med | 0.35 | 6.4 | 0.00 | Nov 5, 2025 | The B Carousel Block – Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wp_remote_request()… | ||
| CVE-2025-11917 | Med | 0.35 | 6.4 | 0.00 | Nov 5, 2025 | The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematico_test_feed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to… | ||
| CVE-2025-49374 | Med | 0.35 | 5.4 | 0.00 | Oct 22, 2025 | Server-Side Request Forgery (SSRF) vulnerability in captcha.eu Captcha.eu captcha-eu allows Server Side Request Forgery.This issue affects Captcha.eu: from n/a through <= 1.0.61. | ||
| CVE-2025-60181 | Med | 0.35 | 5.4 | 0.00 | Sep 26, 2025 | Server-Side Request Forgery (SSRF) vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Server Side Request Forgery.This issue affects Silencesoft RSS Reader: from n/a through <= 0.6. | ||
| CVE-2025-60161 | Med | 0.35 | 5.4 | 0.00 | Sep 26, 2025 | Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks zoloblocks allows Server Side Request Forgery.This issue affects ZoloBlocks: from n/a through <= 2.3.11. | ||
| CVE-2025-10137 | — | Med | 0.35 | 5.4 | 0.00 | Sep 26, 2025 | The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web… | |
| CVE-2025-58005 | Med | 0.35 | 5.4 | 0.00 | Sep 22, 2025 | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft DriCub dricub-driving-school allows Server Side Request Forgery.This issue affects DriCub: from n/a through <= 2.9. | ||
| CVE-2025-58641 | Med | 0.35 | 5.4 | 0.00 | Sep 3, 2025 | Server-Side Request Forgery (SSRF) vulnerability in kamleshyadav Exit Intent Popup exitintentpopup allows Server Side Request Forgery.This issue affects Exit Intent Popup: from n/a through <= 1.0.1. | ||
| CVE-2025-25229 | Med | 0.35 | 5.4 | 0.00 | Aug 11, 2025 | Omnissa Workspace ONE UEM contains a Server-Side Request Forgery (SSRF) Vulnerability. A malicious actor with user privileges may be able to access restricted internal system information, potentially enabling enumeration of internal network resources. | ||
| CVE-2025-28963 | Med | 0.35 | 5.4 | 0.00 | Jul 4, 2025 | Server-Side Request Forgery (SSRF) vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Server Side Request Forgery.This issue affects URL Shortener: from n/a through <= 3.0.7. | ||
| CVE-2024-51981 | Med | 0.35 | 5.3 | 0.01 | Jun 25, 2025 | An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The… | ||
| CVE-2024-51980 | Med | 0.35 | 5.3 | 0.01 | Jun 25, 2025 | An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port… |
- risk 0.35cvss 6.4epss 0.00
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the…
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site wp_scraper allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through <=…
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery.This issue affects 6Storage Rentals: from n/a through <= 2.22.0.
- risk 0.35cvss 6.4epss 0.00
A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range…
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3.
- risk 0.35cvss 6.5epss 0.00
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web…
- risk 0.35cvss 6.4epss 0.00
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level…
- risk 0.35cvss 5.4epss 0.00
The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the 'get_image_size_by_url' function. This is due to insufficient validation of user-supplied URLs when determining image…
- risk 0.35cvss 6.4epss 0.00
The B Carousel Block – Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wp_remote_request()…
- risk 0.35cvss 6.4epss 0.00
The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematico_test_feed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in captcha.eu Captcha.eu captcha-eu allows Server Side Request Forgery.This issue affects Captcha.eu: from n/a through <= 1.0.61.
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Server Side Request Forgery.This issue affects Silencesoft RSS Reader: from n/a through <= 0.6.
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks zoloblocks allows Server Side Request Forgery.This issue affects ZoloBlocks: from n/a through <= 2.3.11.
- risk 0.35cvss 5.4epss 0.00
The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web…
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft DriCub dricub-driving-school allows Server Side Request Forgery.This issue affects DriCub: from n/a through <= 2.9.
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in kamleshyadav Exit Intent Popup exitintentpopup allows Server Side Request Forgery.This issue affects Exit Intent Popup: from n/a through <= 1.0.1.
- risk 0.35cvss 5.4epss 0.00
Omnissa Workspace ONE UEM contains a Server-Side Request Forgery (SSRF) Vulnerability. A malicious actor with user privileges may be able to access restricted internal system information, potentially enabling enumeration of internal network resources.
- risk 0.35cvss 5.4epss 0.00
Server-Side Request Forgery (SSRF) vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Server Side Request Forgery.This issue affects URL Shortener: from n/a through <= 3.0.7.
- risk 0.35cvss 5.3epss 0.01
An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The…
- risk 0.35cvss 5.3epss 0.01
An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port…