CVE-2025-49430
BaseFortify
Publication date: 2025-09-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | wordpress_ultimate_video_player | 10.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) in the WordPress Ultimate Video Player Plugin up to version 10.1. It allows an unauthenticated attacker to make the affected website send requests to arbitrary domains controlled by the attacker. This can lead to exposure of sensitive information from other services running on the same system. The vulnerability requires no privileges to exploit and falls under the OWASP Top 10 category A10: SSRF. [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can induce the affected website to send requests to attacker-controlled domains, potentially exposing sensitive information from internal services on the same system. This can lead to unauthorized data disclosure and may compromise the security of the affected system. Since no official patch is available, sites remain at risk unless mitigated by virtual patches or other protective measures. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability involves monitoring for unusual outbound requests from the affected WordPress Ultimate Video Player plugin to attacker-controlled domains. Since no official patch is available, using server-side malware scanning and professional incident response is recommended. Specific commands are not provided in the resources, but monitoring HTTP logs for unexpected external requests or using network monitoring tools to detect suspicious outbound traffic may help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack, which blocks attack attempts until an official fix is released. It is safe to apply and test this virtual patch to protect affected sites. Additionally, professional incident response and server-side malware scanning are recommended if a site is suspected to be compromised. Since no official patch is available yet, virtual patching is the primary recommended defense. [1]