CVE-2025-8594
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-8594, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-14

Last updated on: 2025-10-14

Assigner: WPScan

Description

The Pz-LinkCard WordPress plugin before 2.5.7 does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attack.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-14
Last Modified
2025-10-14
Generated
2026-07-06
AI Q&A
2025-10-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress pz-linkcard *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-8594 is a Server-Side Request Forgery (SSRF) vulnerability in the Pz-LinkCard WordPress plugin versions before 2.5.7. The plugin does not validate a parameter before making a request to it, which allows users with Contributor-level permissions or higher to manipulate this parameter and cause the server to make unauthorized requests. This can be exploited by attackers to perform SSRF attacks, potentially accessing internal resources or services. [1]

Impact Analysis

This vulnerability can allow an attacker with Contributor-level access to make the server perform unauthorized requests to internal or external systems. This could lead to exposure of sensitive internal information, unauthorized access to internal services, or use of the server as a proxy for malicious activities, potentially compromising the security and integrity of your WordPress site and its environment. [1]

Detection Guidance

Detection can involve monitoring for unusual HTTP requests originating from the WordPress server, especially those triggered by users with Contributor-level permissions using the Pz-LinkCard plugin. Specifically, look for requests made via the blogcard shortcode with manipulated URL parameters that point to internal or unauthorized addresses. Commands to detect such activity could include inspecting web server logs for suspicious requests or using tools like curl to test the vulnerable parameter manually. For example, you might run: curl -X POST 'https://yourwordpresssite.com/wp-admin/admin-ajax.php' with parameters mimicking the exploit to see if SSRF occurs. However, no explicit detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the Pz-LinkCard WordPress plugin to version 2.5.7 or later, where the vulnerability has been fixed by proper validation of the parameter before making requests. Additionally, restrict Contributor-level users from accessing or using the vulnerable functionality if updating immediately is not possible. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart