Skip to main content

PopAd WordPress Plugin EUVDEUVD-2025-210158

| CVE-2025-60175 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-15 Patchstack GHSA-52jj-9626-99qv
4.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.4 MEDIUM

Administrator credential requirement (PR:H) and specific trigger conditions (AC:H) dominate; scope change reflects SSRF reaching internal systems beyond WordPress.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:17 vuln.today

DescriptionCVE.org

Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.

AnalysisAI

Server-Side Request Forgery (SSRF) in the PopAd WordPress plugin by Vynnus allows an authenticated administrator to cause the server to make forged outbound HTTP requests to arbitrary destinations, including internal network resources. All versions through 1.0.4 are affected per CPE data (cpe:2.3:a:vynnus:popad). The scope change (S:C) in the CVSS vector confirms that successful exploitation can reach systems beyond the WordPress host itself, enabling lateral pivoting into internal infrastructure. No public exploit identified at time of analysis.

Technical ContextAI

CWE-918 (Server-Side Request Forgery) describes a class of vulnerabilities where a server-side application accepts a user-controlled URL or network destination and makes an outbound request to it without adequate validation. In the context of a WordPress plugin (cpe:2.3:a:vynnus:popad), this typically manifests through a plugin settings page or AJAX endpoint that accepts a URL parameter and fetches it server-side - commonly used for ad-network callbacks or content retrieval. The vulnerability is reachable over the network (AV:N) but requires high-privilege (administrator-level) WordPress credentials (PR:H) and high attack complexity (AC:H), suggesting a specific trigger path rather than a trivially exploitable endpoint. The CVSS scope change flag (S:C) indicates the forged requests can interact with systems separate from the vulnerable WordPress installation, such as cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), internal microservices, or other network-adjacent hosts.

RemediationAI

Patch available per vendor advisory - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/popad/vulnerability/wordpress-popad-plugin-1-0-4-server-side-request-forgery-ssrf-vulnerability for the confirmed fixed version, as no explicit patched release number was provided in the available intelligence data. Administrators should check the WordPress plugin repository for an updated PopAd release above 1.0.4 and apply it promptly. If an updated version is unavailable or cannot be deployed immediately, consider deactivating the PopAd plugin entirely until a fix is confirmed - this eliminates the attack surface at the cost of losing plugin functionality. As a network-level compensating control for cloud-hosted WordPress deployments, restrict the server's ability to make outbound HTTP requests to RFC-1918 address ranges and cloud metadata endpoints (e.g., block 169.254.169.254 via host-based firewall or WAF egress rules); note this does not fix the vulnerability but prevents the highest-impact SSRF pivot scenarios. Audit WordPress admin account holders to ensure the principle of least privilege is enforced, reducing the pool of accounts that could trigger this flaw.

Share

EUVD-2025-210158 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy