A Server‑Side Request Forgery flaw exists in the nK Themes Helper WordPress plugin for versions up to 1.7.9. The vulnerability allows an attacker to coerce the plugin into making arbitrary HTTP requests to any URL specified by the attacker. This can result in the retrieval of sensitive information from internal or remote systems, or the triggering of actions on those systems via the plugin’s request logic.

WordPress sites that have the nK Themes Helper plugin installed with a version less than or equal to 1.7.9 are affected. The exact release range is "n/a through <= 1.7.9"; site owners using any version of the plugin at or below that cutoff should review their installations.

The CVSS vector scores the flaw at 6.4, which represents a medium severity attack. The EPSS score of < 1% indicates that, as of the last update, exploit attempts are expected to be rare. The flaw is not listed in the CISA KEV catalog. The likely attack surface is the plugin’s request handling endpoint, and an attacker would need a way to supply a target URL – either by exploiting an authenticated configuration page or by tricking a user into triggering the request. Without additional context, the attack does not appear to require remote code execution or elevated privileges, but the ability to reach internal resources can threaten confidentiality and integrity.