Description
Server-Side Request Forgery (SSRF) vulnerability in PressForward PressForward pressforward allows Server Side Request Forgery.This issue affects PressForward: from n/a through <= 5.9.5.
Published: 2025-08-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PressForward plugins up to version 5.9.5 contain a server‑side request forgery flaw that allows an attacker to cause the plugin to send arbitrary HTTP or HTTPS requests to internal or external addresses. This weakness arises from the plugin accepting URLs from user input without sufficient validation, resulting in an integrity breach of the WordPress site and potential exposure of sensitive data. The underlying weakness is CWE‑918, which denotes SSRF vulnerabilities.

Affected Systems

WordPress sites that have the PressForward plugin installed in any version from the earliest available release through 5.9.5 are impacted. The vulnerability is present in all releases of the plugin up to and including 5.9.5; all WordPress installations that rely on any of those versions are therefore at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity impact, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, which further reduces the likelihood of widespread exploitation. The likely attack vector is inferred to be an authenticated user with access to the PressForward interface or an unauthenticated user if the plugin exposes any public endpoints; the issue stems from unsanitized URL handling within the plugin code.

Generated by OpenCVE AI on May 1, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PressForward to the latest stable version (5.9.6 or later) to remove the unvalidated request handling logic.
  • Configure the web server or host firewall to block outbound HTTP/HTTPS traffic originating from WordPress processes, thereby limiting the plugin’s ability to reach internal or external addresses.
  • If an upgrade cannot be performed immediately, disable or uninstall the PressForward plugin and monitor for any unauthorized outbound traffic from the WordPress installation.

Generated by OpenCVE AI on May 1, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24734 Server-Side Request Forgery (SSRF) vulnerability in PressForward PressForward allows Server Side Request Forgery. This issue affects PressForward: from n/a through 5.9.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in PressForward PressForward allows Server Side Request Forgery. This issue affects PressForward: from n/a through 5.9.1. Server-Side Request Forgery (SSRF) vulnerability in PressForward PressForward pressforward allows Server Side Request Forgery.This issue affects PressForward: from n/a through <= 5.9.5.
Title WordPress PressForward <= 5.9.1 - Server Side Request Forgery (SSRF) Vulnerability WordPress PressForward <= 5.9.4 - Server Side Request Forgery (SSRF) vulnerability
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Pressforward
Pressforward pressforward
Wordpress
Wordpress wordpress
Vendors & Products Pressforward
Pressforward pressforward
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in PressForward PressForward allows Server Side Request Forgery. This issue affects PressForward: from n/a through 5.9.1.
Title WordPress PressForward <= 5.9.1 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Pressforward Pressforward
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.348Z

Reserved: 2025-03-11T08:10:44.966Z

Link: CVE-2025-28987

cve-icon Vulnrichment

Updated: 2025-08-14T19:45:38.069Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:31.790

Modified: 2026-04-23T15:26:44.020

Link: CVE-2025-28987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses