Description
The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to obtain information about internal services.
Published: 2025-11-18
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Blind Server‑Side Request Forgery (unauthenticated)
Action: Patch
AI Analysis

Impact

The WP Migrate Lite WordPress migration plugin harbors an unauthenticated Blind Server‑Side Request Forgery flaw in all versions up to and including 2.7.6. The issue is triggered through the wpmdb_flush AJAX action and permits an attacker to force the server to send HTTP requests to arbitrary URLs from within the application. Though the SSRF is blind and no direct response is returned, the attacker can glean the existence of internal services or discover network topology details.

Affected Systems

The vulnerability affects installations of the WP Migrate Lite plugin branded by wpengine. Any WordPress site running version 2.7.6 or earlier is exposed, regardless of server configuration or other plugins.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate risk, while the EPSS score of less than 1% suggests low current exploitation probability. The flaw is not listed in the CISA KEV catalog, so no publicly known exploits are available. Unauthenticated attackers can trigger the vulnerability from any internet‑reachable location that can access the WordPress site. Although the SSRF is blind, it offers valuable reconnaissance opportunities and could serve as a stepping stone to further attacks within the internal network.

Generated by OpenCVE AI on April 22, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Migrate Lite to the latest released version that resolves the SSRF flaw
  • If an upgrade cannot be performed immediately, remove or deactivate the plugin entirely
  • Block unauthenticated requests to the wpmdb_flush action by configuring a web application firewall or security plugin to limit access to admin‑ajax.php

Generated by OpenCVE AI on April 22, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 19 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpengine
Wpengine wp Migrate
Vendors & Products Wordpress
Wordpress wordpress
Wpengine
Wpengine wp Migrate

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to obtain information about internal services.
Title WP Migrate Lite <= 2.7.6 - Unauthenticated Blind Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpengine Wp Migrate
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:54.588Z

Reserved: 2025-10-07T12:01:47.052Z

Link: CVE-2025-11427

cve-icon Vulnrichment

Updated: 2025-11-18T20:50:24.576Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T11:15:44.193

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses