Skip to main content

Jthemes Genemy CVE-2025-59138

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2025-12-31 audit@patchstack.com
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.9 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through <= 1.6.6.

AnalysisAI

Server-Side Request Forgery (SSRF) in Jthemes Genemy WordPress theme versions up to 1.6.6 allows unauthenticated remote attackers to make arbitrary HTTP requests from the affected server, potentially accessing internal resources, cloud metadata endpoints, or services restricted to localhost. No CVSS score is assigned in official databases; EPSS probability is extremely low at 0.01%, and no public exploit code or active exploitation has been identified. The vulnerability was reported by Patchstack's security audit team.

Technical ContextAI

This SSRF vulnerability (CWE-918) exists in the Jthemes Genemy WordPress theme, a web design and functionality extension for WordPress. SSRF vulnerabilities occur when an application fails to validate and restrict HTTP requests initiated by server-side code, allowing attackers to manipulate the application into making requests to unintended destinations. The affected product is a WordPress theme (identified via CPE context as WordPress plugin/theme infrastructure), which runs server-side PHP code to render pages and handle user input. The lack of proper input validation or request destination filtering in Genemy's code path allows attackers to forge requests that bypass network segmentation, access internal APIs, or retrieve sensitive data from backend services.

Affected ProductsAI

The Jthemes Genemy WordPress theme is affected in all versions from an unspecified baseline through version 1.6.6. The vendor's official advisory is hosted at Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability). No other product variants or version numbers are specified in the available data.

RemediationAI

Update Jthemes Genemy theme to a version newer than 1.6.6 immediately. The vendor has released a patched version; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability for the specific fixed version number and installation instructions. In the interim, restrict outbound HTTP/HTTPS requests from the WordPress server using firewall rules or WAF policies to block requests to internal IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254 for AWS). Monitor server logs for unexpected outbound connection attempts.

Share

CVE-2025-59138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy