The reported vulnerability is a Server‑Side Request Forgery (SSRF) flaw in the Faizaan Gagan Course Migration for LearnDash plugin, affecting version 1.0.2 and subsequent releases until a fix is applied. The flaw allows an attacker who can invoke the migration functionality to compel the WordPress instance to issue HTTP requests to arbitrary URLs. This can expose internal network services, exfiltrate sensitive data from external endpoints, or be leveraged as a pivot to attack systems behind the same firewall. The weakness is identified as CWE‑918.

The supplier Faizaan Gagan’s Course Migration for LearnDash plugin, specifically version 1.0.2 and subsequent releases, is impacted. The plugin is hosted on WordPress installations; no specific operating system or core WordPress version constraints are noted, indicating the issue resides within the plugin code itself.

The CVSS score of 6.4 reflects moderate severity, while the EPSS score of < 1 % suggests a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a user who can access the migration feature, as the plugin performs outbound requests without adequate validation or access controls. Because the flaw is limited to internal server traffic, successful exploitation would mainly affect the host on which the WordPress instance runs unless the attacker also has additional network reachability.