CVE-2025-67961
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| marco_van_wieren | wpo365_login | to 40.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67961 is a Server-Side Request Forgery (SSRF) vulnerability in the WordPress WPO365 Plugin versions up to and including 40.0. It allows an attacker to make the affected website send HTTP requests to arbitrary domains controlled by the attacker. This means the attacker can trick the server into accessing internal or external resources on their behalf, potentially exposing sensitive information from other services running on the same system. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to induce your server to send unauthorized HTTP requests to arbitrary domains. This can lead to unauthorized access to sensitive information from other services running on the same system, potentially compromising internal data and security. Exploitation requires only subscriber or developer privileges, making it relatively accessible to attackers. The risk is moderate with a CVSS score of 6.4. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability involves monitoring for unusual HTTP requests originating from the affected WordPress site to arbitrary external domains, especially those controlled by attackers. Network traffic analysis tools or web server logs can be used to identify such suspicious outbound requests. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WPO365 Plugin to version 40.1 or later, where the vulnerability is fixed. Until the update can be applied, applying Patchstackβs provided mitigation rule to block attacks targeting this vulnerability is recommended. Additionally, enabling automatic updates for the plugin can help ensure rapid protection. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to induce the server to make arbitrary HTTP requests, potentially exposing sensitive internal data. This exposure of sensitive information could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access. Therefore, if exploited, this SSRF vulnerability may negatively impact compliance with these regulations. [1]