CVE-2025-8594
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2025-10-14

Assigner: WPScan

Description
The Pz-LinkCard WordPress plugin before 2.5.7 does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-8594
EUVD
EUVD-2025-34142
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress pz-linkcard *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-8594 is a Server-Side Request Forgery (SSRF) vulnerability in the Pz-LinkCard WordPress plugin versions before 2.5.7. The plugin does not validate a parameter before making a request to it, which allows users with Contributor-level permissions or higher to manipulate this parameter and cause the server to make unauthorized requests. This can be exploited by attackers to perform SSRF attacks, potentially accessing internal resources or services. [1]

Impact Analysis

This vulnerability can allow an attacker with Contributor-level access to make the server perform unauthorized requests to internal or external systems. This could lead to exposure of sensitive internal information, unauthorized access to internal services, or use of the server as a proxy for malicious activities, potentially compromising the security and integrity of your WordPress site and its environment. [1]

Detection Guidance

Detection can involve monitoring for unusual HTTP requests originating from the WordPress server, especially those triggered by users with Contributor-level permissions using the Pz-LinkCard plugin. Specifically, look for requests made via the blogcard shortcode with manipulated URL parameters that point to internal or unauthorized addresses. Commands to detect such activity could include inspecting web server logs for suspicious requests or using tools like curl to test the vulnerable parameter manually. For example, you might run: curl -X POST 'https://yourwordpresssite.com/wp-admin/admin-ajax.php' with parameters mimicking the exploit to see if SSRF occurs. However, no explicit detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the Pz-LinkCard WordPress plugin to version 2.5.7 or later, where the vulnerability has been fixed by proper validation of the parameter before making requests. Additionally, restrict Contributor-level users from accessing or using the vulnerable functionality if updating immediately is not possible. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart