Description
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-01-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery (SSRF)
Action: Immediate Patch
AI Analysis

Impact

The GetContentFromURL WordPress plugin contains an SSRF flaw that arises from using wp_remote_get() instead of wp_safe_remote_get() when processing the 'url' attribute of the [gcfu] shortcode. An attacker who is authenticated with Contributor or higher privileges can supply any URL and force the web application to initiate outbound HTTP requests. This enables the attacker to query internal services, retrieve sensitive data, or potentially modify internal state from within the server environment. The weakness is a classic input validation/authorization flaw (CWE-918).

Affected Systems

WordPress sites running the GetContentFromURL plugin up to and including version 1.0, developed by daschmi, are affected. Any user with Contributor-level access or higher can exploit the vulnerability. No other WordPress plugins or core components are listed as affected.

Risk and Exploitability

The CVSS score of 7.2 classifies the vulnerability as high, reflecting the combination of moderate authentication (Contributor+) and the serious impact of SSRF. The EPSS score of less than 1% suggests that exploitation is currently uncommonly observed, but the risk remains due to the sensitive nature of internal requests. The issue is not listed in CISA KEV, indicating it has not yet been reported as a widely exploited vulnerability. Based on the description, the likely attack vector is a legitimate authenticated user who inserts a malicious URL into the shortcode, allowing the server to reach arbitrary endpoints, including internal network services.

Generated by OpenCVE AI on April 20, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GetContentFromURL to the latest available version (any release newer than 1.0 that uses wp_safe_remote_get).
  • Remove or disable the [gcfu] shortcode from the site if the feature is not needed, or restrict its usage to a secure audience such as administrators only.
  • If the plugin must remain for Contributors, configure network-level access controls or a firewall to block outbound requests from the web server to internal IP ranges, thereby limiting the potential impact of SSRF.

Generated by OpenCVE AI on April 20, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title GetContentFromURL <= 1.0 - Authenticated (Contributor+) Server-Side Request Forgery via 'url' Shortcode Attribute
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:45.733Z

Reserved: 2025-12-12T20:43:30.437Z

Link: CVE-2025-14613

cve-icon Vulnrichment

Updated: 2026-01-15T18:29:44.638Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:52.890

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses