CVE-2025-32487 - Vulnerability Details

- WordPress Waymark plugin <= 1.5.2 - Server Side Request Forgery (SSRF) Vulnerability

Description

Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark waymark allows Server Side Request Forgery.This issue affects Waymark: from n/a through <= 1.5.2.

Published: 2025-04-09

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker to trigger arbitrary outbound HTTP requests from the WordPress hosting environment through the Waymark plugin. Because the plugin does not validate or constrain the target URL, an attacker could obtain sensitive internal data, discover network topology, or abuse internal services. The CVSS score of 4.9 reflects that the impact is mainly confidentiality and integrity of data accessed via internal resources rather than denial of service or remote code execution.

Affected Systems

WordPress installations that use the Joe Waymark plugin, versions up to and including 1.5.2. The plugin version 1.5.2 and earlier are affected; newer releases are not listed as vulnerable.

Risk and Exploitability

The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating a low likelihood of exploitation at the current time. Nevertheless, the attack vector is web‑based; an unauthenticated external user could construct a request that causes the plugin to resolve a malicious or internal URL. Because the flaw can be triggered via normal plugin functionality, there is no prerequisite of special access beyond accessing the plugin’s HTTP endpoints. The risk remains moderate due to the potential to access internal services, but the limited exploitation probability reduces overall urgency.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Joe

Waymark

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.5.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Joe Waymark plugin to a version newer than 1.5.2
Restrict or remove the plugin’s ability to process external URLs, such as disabling any REST API endpoints that accept user‑supplied URLs
If an update is unavailable, consider disabling or uninstalling the plugin until a patch is released

Generated by OpenCVE AI on April 30, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10623	Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark allows Server Side Request Forgery. This issue affects Waymark: from n/a through 1.5.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/waymark/vulnerability/wordpress-waymark-1-5-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark allows Server Side Request Forgery. This issue affects Waymark: from n/a through 1.5.2.	Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark waymark allows Server Side Request Forgery.This issue affects Waymark: from n/a through <= 1.5.2.
Title	WordPress Waymark <= 1.5.2 - Server Side Request Forgery (SSRF) Vulnerability	WordPress Waymark plugin <= 1.5.2 - Server Side Request Forgery (SSRF) Vulnerability
References	https://patchstack.com/database/wordpress/plugin/waymark/vulnerability/wordpress-waymark-1-5-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/waymark/vulnerability/wordpress-waymark-1-5-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Wed, 09 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 09 Apr 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark allows Server Side Request Forgery. This issue affects Waymark: from n/a through 1.5.2.
Title		WordPress Waymark <= 1.5.2 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses		CWE-918
References		https://patchstack.com/database/wordpress/plugin/waymark/vulnerability/wordpress-waymark-1-5-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-09T16:09:50.757Z

Updated: 2026-04-28T16:12:22.731Z

Reserved: 2025-04-09T11:19:01.929Z

Link: CVE-2025-32487

Vulnrichment

Updated: 2025-04-09T18:20:42.700Z

NVD

Status : Deferred

Published: 2025-04-09T17:15:41.550

Modified: 2026-04-23T15:28:58.333

Link: CVE-2025-32487

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T00:00:05Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object