CVE-2025-8594
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-14
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | pz-linkcard | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8594 is a Server-Side Request Forgery (SSRF) vulnerability in the Pz-LinkCard WordPress plugin versions before 2.5.7. The plugin does not validate a parameter before making a request to it, which allows users with Contributor-level permissions or higher to manipulate this parameter and cause the server to make unauthorized requests. This can be exploited by attackers to perform SSRF attacks, potentially accessing internal resources or services. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor-level access to make the server perform unauthorized requests to internal or external systems. This could lead to exposure of sensitive internal information, unauthorized access to internal services, or use of the server as a proxy for malicious activities, potentially compromising the security and integrity of your WordPress site and its environment. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unusual HTTP requests originating from the WordPress server, especially those triggered by users with Contributor-level permissions using the Pz-LinkCard plugin. Specifically, look for requests made via the blogcard shortcode with manipulated URL parameters that point to internal or unauthorized addresses. Commands to detect such activity could include inspecting web server logs for suspicious requests or using tools like curl to test the vulnerable parameter manually. For example, you might run: curl -X POST 'https://yourwordpresssite.com/wp-admin/admin-ajax.php' with parameters mimicking the exploit to see if SSRF occurs. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Pz-LinkCard WordPress plugin to version 2.5.7 or later, where the vulnerability has been fixed by proper validation of the parameter before making requests. Additionally, restrict Contributor-level users from accessing or using the vulnerable functionality if updating immediately is not possible. [1]