CVE-2025-69014

MEDIUM
2025-12-30 [email protected]
4.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 30, 2025 - 11:15 nvd
MEDIUM 4.9

Tags

SSRF PHP

Description

Server-Side Request Forgery (SSRF) vulnerability in Youzify Youzify youzify allows Server Side Request Forgery.This issue affects Youzify: from n/a through <= 1.3.7.

Analysis

Server-Side Request Forgery (SSRF) in Youzify WordPress plugin through version 1.3.7 allows authenticated high-privilege users to make arbitrary network requests from the server, exposing internal resources and services. The vulnerability requires administrative credentials (PR:H) but carries high confidentiality impact with EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 4.9.

Technical Context

This vulnerability exploits improper validation of user-supplied input in network request handling (CWE-918: Server-Side Request Forgery), a common flaw in WordPress plugins that fail to sanitize URLs or endpoints before passing them to backend HTTP libraries. The Youzify plugin, which extends WordPress community features, likely contains functions that fetch remote content or interact with external services without adequate input validation. Attackers with admin-level privileges can manipulate request parameters to force the server to make requests to internal addresses (127.0.0.1, internal IP ranges) or private cloud metadata endpoints (e.g., AWS EC2 metadata service at 169.254.169.254), potentially disclosing sensitive configuration data, API keys, or internal service credentials.

Affected Products

Youzify WordPress plugin versions from an unspecified initial release through version 1.3.7 are affected. The WordPress plugin ecosystem identifier suggests this applies to Youzify as distributed through wordpress.org and derivative sources. Affected users running Youzify version 1.3.7 or earlier on any WordPress installation should update immediately.

Remediation

Update Youzify to a version newer than 1.3.7 as released by the vendor. Organizations should verify the patched version number through the official WordPress plugin repository or the vendor's advisory at https://patchstack.com/database/Wordpress/Plugin/youzify/vulnerability/wordpress-youzify-plugin-1-3-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve. As an interim control pending patch deployment, restrict administrator role assignment to trusted users only, since exploitation requires high-privilege credentials. Implement network-level egress filtering to restrict server outbound requests to only necessary external services, which would mitigate SSRF impact even if the vulnerability exists.

Priority Score

25
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +24
POC: 0

Share

CVE-2025-69014 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy