Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
AnalysisAI
Server-Side Request Forgery (SSRF) in InfusedWoo Pro plugin for WordPress versions up to 5.1.2 allows unauthenticated remote attackers to exploit the popup_submit function to read arbitrary files from the server and make unauthorized web requests to internal network resources. This vulnerability enables reconnaissance and potential access to internal services that should not be externally accessible, including cloud metadata endpoints, internal APIs, and localhost services. CVSS 7.5 (High) reflects network-accessible attack with no authentication required and high confidentiality impact. EPSS data not available; no active exploitation confirmed via CISA KEV at time of analysis.
Technical ContextAI
This is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting the InfusedWoo Pro WordPress plugin, a premium e-commerce integration solution. The vulnerability resides in the popup_submit function which fails to properly validate and sanitize user-supplied URLs before making outbound requests from the WordPress server. WordPress plugins executing in PHP context have full access to the server's network stack, allowing attackers to abuse vulnerable functions as a proxy. SSRF vulnerabilities allow attackers to leverage the application server's network position to access resources that would otherwise be unreachable from the external internet, including RFC-1918 private IP ranges, localhost services, and cloud provider metadata services (AWS EC2 metadata at 169.254.169.254, Azure Instance Metadata Service, etc.). The description mentions both arbitrary file read and web request capabilities, suggesting the function may accept file:// scheme URIs alongside http/https, enabling local file system access through URL handlers.
RemediationAI
Upgrade InfusedWoo Pro plugin to version 5.1.3 or later if available, as versions through 5.1.2 are confirmed vulnerable. Verify patched version by checking the vendor changelog at https://downloads.infusedwoo.com/updater/iw5.php?changelog for SSRF fix confirmation and reviewing Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/76b75e61-e7f8-41cc-ab4f-e6ca42d68308. If immediate patching is not possible, implement network-layer compensating controls: configure web application firewall (WAF) rules to block requests to the popup_submit endpoint from untrusted sources (note: may break legitimate plugin functionality for form submissions), apply egress filtering on the WordPress server to prevent outbound connections to RFC-1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata endpoints. Consider temporarily disabling the InfusedWoo Pro plugin if not actively required for business operations until patching is completed. Network segmentation reduces but does not eliminate risk as attackers can still exfiltrate data from accessible internal services.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30263
GHSA-mh5f-f33c-v7q4