Description
The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_safe_remote_get()` which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks.
Published: 2025-11-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Upgrade Plugin
AI Analysis

Impact

The Local Syndication plugin allows any authenticated user with Contributor level or higher to insert the [syndicate_local] shortcode with a custom url parameter. The plugin calls wp_remote_get() instead of the safer wp_safe_remote_get(), meaning the request is not filtered against internal or private IP ranges. This flaw permits an attacker to trigger outbound HTTP requests from the WordPress server to arbitrary internal or external hosts. The attacker can consequently read sensitive data from internal services, modify internal state, or use the server as a pivot to scan the internal network, thereby compromising confidentiality, integrity, and potentially availability of networked resources.

Affected Systems

WordPress sites running the willbontrager Local Syndication plugin, versions 1.5a and earlier, are affected. The vulnerability applies regardless of the specific WordPress core version, provided the plugin is installed and the user has Contributor or higher access rights.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score of less than 1 implies that, at the time of this assessment, exploitation is very unlikely to occur. The vulnerability is not listed in the CISA KEV catalog. It is likely that exploitation would require an authenticated user with Contributor privileges, so the attack vector is limited to internal accounts. Once authenticated, the attacker can supply arbitrary URLs to the shortcode, enabling SSRF without needing to bypass any additional firewall rules beyond what meets local policy.

Generated by OpenCVE AI on April 21, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Local Syndication to the latest available release that removes the insecure wp_remote_get() call, or apply the vendor’s patch if one is released.
  • If an upgrade is not immediately possible, delete or disable the [syndicate_local] shortcode from content and templates so no URLs are passed in user‑supplied content.
  • Restrict the ability of Contributor users to add or edit posts that could include the shortcode; consider limiting the role to editors or administrators if possible.
  • Configure network–level egress filtering or firewall rules to block outbound HTTP requests from the WordPress server to internal IP ranges that are not required for legitimate site operation.
  • Validate all user‑supplied URL inputs on the server side before making external requests, ensuring only HTTPS and whitelist‑allowed domains are accessed.

Generated by OpenCVE AI on April 21, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 18 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_safe_remote_get()` which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks.
Title Local Syndication <= 1.5a - Authenticated (Contributor+) Server-Side Request Forgery via Shortcode
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:42.996Z

Reserved: 2025-11-10T16:58:29.926Z

Link: CVE-2025-12962

cve-icon Vulnrichment

Updated: 2025-11-18T14:48:31.470Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T09:15:49.850

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses