Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1.
AnalysisAI
Server-Side Request Forgery (SSRF) in Nelio Content WordPress plugin through version 4.3.1 allows authenticated attackers to make arbitrary HTTP requests from the vulnerable server, potentially accessing internal services and exfiltrating sensitive data. The vulnerability requires authenticated access (PR:L) and high attack complexity (AC:H), limiting real-world risk despite affecting all versions up to 4.3.1. No public exploit code or active exploitation has been confirmed; EPSS score of 0.02% (4th percentile) indicates very low exploitation probability.
Technical ContextAI
The vulnerability is a classic Server-Side Request Forgery (CWE-918) flaw in the Nelio Content plugin for WordPress. SSRF vulnerabilities occur when application code constructs HTTP requests based on user-controlled input without proper validation, allowing attackers to forge requests that originate from the server itself rather than the attacker's machine. This is particularly dangerous in cloud and containerized environments where internal services (databases, metadata endpoints, API gateways) are often accessible only from the server. The Nelio Content plugin (WordPress plugin architecture, CPE: cpe:2.3:a:nelio_software:nelio_content) appears to have insufficient URL validation in a feature that constructs or proxies HTTP requests, permitting an authenticated user to supply a malicious URL that the server then fetches. The high attack complexity (AC:H) suggests the vulnerability requires specific conditions-such as knowledge of internal network topology or crafting of particular request types-rather than trivial exploitation.
RemediationAI
Update Nelio Content to a patched version beyond 4.3.1 immediately. Check the official Nelio Software plugin repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-3-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve for the exact released version containing the fix. As an interim mitigation, restrict Nelio Content plugin access to trusted administrator accounts only, and implement network-level egress filtering to prevent the server from connecting to internal services (e.g., cloud metadata endpoints, private databases, or restricted APIs). Monitor plugin file integrity and server outbound HTTP connections for anomalies.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20183
GHSA-7vhv-799g-fcfv