Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Administrator credential requirement (PR:H) and specific trigger conditions (AC:H) dominate; scope change reflects SSRF reaching internal systems beyond WordPress.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.
AnalysisAI
Server-Side Request Forgery (SSRF) in the PopAd WordPress plugin by Vynnus allows an authenticated administrator to cause the server to make forged outbound HTTP requests to arbitrary destinations, including internal network resources. All versions through 1.0.4 are affected per CPE data (cpe:2.3:a:vynnus:popad). The scope change (S:C) in the CVSS vector confirms that successful exploitation can reach systems beyond the WordPress host itself, enabling lateral pivoting into internal infrastructure. No public exploit identified at time of analysis.
Technical ContextAI
CWE-918 (Server-Side Request Forgery) describes a class of vulnerabilities where a server-side application accepts a user-controlled URL or network destination and makes an outbound request to it without adequate validation. In the context of a WordPress plugin (cpe:2.3:a:vynnus:popad), this typically manifests through a plugin settings page or AJAX endpoint that accepts a URL parameter and fetches it server-side - commonly used for ad-network callbacks or content retrieval. The vulnerability is reachable over the network (AV:N) but requires high-privilege (administrator-level) WordPress credentials (PR:H) and high attack complexity (AC:H), suggesting a specific trigger path rather than a trivially exploitable endpoint. The CVSS scope change flag (S:C) indicates the forged requests can interact with systems separate from the vulnerable WordPress installation, such as cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), internal microservices, or other network-adjacent hosts.
RemediationAI
Patch available per vendor advisory - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/popad/vulnerability/wordpress-popad-plugin-1-0-4-server-side-request-forgery-ssrf-vulnerability for the confirmed fixed version, as no explicit patched release number was provided in the available intelligence data. Administrators should check the WordPress plugin repository for an updated PopAd release above 1.0.4 and apply it promptly. If an updated version is unavailable or cannot be deployed immediately, consider deactivating the PopAd plugin entirely until a fix is confirmed - this eliminates the attack surface at the cost of losing plugin functionality. As a network-level compensating control for cloud-hosted WordPress deployments, restrict the server's ability to make outbound HTTP requests to RFC-1918 address ranges and cloud metadata endpoints (e.g., block 169.254.169.254 via host-based firewall or WAF egress rules); note this does not fix the vulnerability but prevents the highest-impact SSRF pivot scenarios. Audit WordPress admin account holders to ensure the principle of least privilege is enforced, reducing the pool of accounts that could trigger this flaw.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210158
GHSA-52jj-9626-99qv