CVE-2025-59138

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

Tags

SSRF PHP

Description

Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through <= 1.6.6.

Analysis

Server-Side Request Forgery (SSRF) in Jthemes Genemy WordPress theme versions up to 1.6.6 allows unauthenticated remote attackers to make arbitrary HTTP requests from the affected server, potentially accessing internal resources, cloud metadata endpoints, or services restricted to localhost. No CVSS score is assigned in official databases; EPSS probability is extremely low at 0.01%, and no public exploit code or active exploitation has been identified. The vulnerability was reported by Patchstack's security audit team.

Technical Context

This SSRF vulnerability (CWE-918) exists in the Jthemes Genemy WordPress theme, a web design and functionality extension for WordPress. SSRF vulnerabilities occur when an application fails to validate and restrict HTTP requests initiated by server-side code, allowing attackers to manipulate the application into making requests to unintended destinations. The affected product is a WordPress theme (identified via CPE context as WordPress plugin/theme infrastructure), which runs server-side PHP code to render pages and handle user input. The lack of proper input validation or request destination filtering in Genemy's code path allows attackers to forge requests that bypass network segmentation, access internal APIs, or retrieve sensitive data from backend services.

Affected Products

The Jthemes Genemy WordPress theme is affected in all versions from an unspecified baseline through version 1.6.6. The vendor's official advisory is hosted at Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability). No other product variants or version numbers are specified in the available data.

Remediation

Update Jthemes Genemy theme to a version newer than 1.6.6 immediately. The vendor has released a patched version; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability for the specific fixed version number and installation instructions. In the interim, restrict outbound HTTP/HTTPS requests from the WordPress server using firewall rules or WAF policies to block requests to internal IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254 for AWS). Monitor server logs for unexpected outbound connection attempts.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-59138 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy