Description
Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid simple-google-photos-grid allows Server Side Request Forgery.This issue affects Simple Google Photos Grid: from n/a through <= 1.5.
Published: 2025-04-24
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows the Simple Google Photos Grid plugin to perform HTTP requests to arbitrary URLs. This Server Side Request Forgery can enable an attacker to probe internal or remote servers if the plugin's URL parameter is controllable. The vulnerability is classified as CWE‑918. The description does not specify exactly which assets could be accessed, but the nature of the flaw suggests potential for unauthorized data access or service disruption.

Affected Systems

All releases of the Simple Google Photos Grid plugin developed by josheli up to and including version 1.5 are affected. WordPress sites that host or use this plugin are potentially exposed, regardless of the WordPress core version.

Risk and Exploitability

With a CVSS score of 4.9 the issue is moderate. The EPSS score of below 1% indicates a low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote execution, inferred from standard SSRF behavior: an attacker who can supply a URL to the plugin’s import function would trigger outbound HTTP requests from the server, possibly reaching internal services.

Generated by OpenCVE AI on May 1, 2026 at 09:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Google Photos Grid plugin to a version greater than 1.5 if an update is available.
  • If an update cannot be applied immediately, restrict the plugin’s outbound network traffic to known safe destinations by configuring server firewall rules or network policies.
  • Configure the plugin (if possible) to validate or whitelist supplied URLs so that only approved domains can be fetched.
  • Monitor outgoing HTTP requests from the WordPress environment for anomalous or unexpected connections.

Generated by OpenCVE AI on May 1, 2026 at 09:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12030 Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid allows Server Side Request Forgery. This issue affects Simple Google Photos Grid: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid allows Server Side Request Forgery. This issue affects Simple Google Photos Grid: from n/a through 1.5. Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid simple-google-photos-grid allows Server Side Request Forgery.This issue affects Simple Google Photos Grid: from n/a through <= 1.5.
Title WordPress Simple Google Photos Grid <= 1.5 - Server Side Request Forgery (SSRF) Vulnerability WordPress Simple Google Photos Grid plugin <= 1.5 - Server Side Request Forgery (SSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Thu, 24 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid allows Server Side Request Forgery. This issue affects Simple Google Photos Grid: from n/a through 1.5.
Title WordPress Simple Google Photos Grid <= 1.5 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:39.660Z

Reserved: 2025-04-24T14:23:02.622Z

Link: CVE-2025-46503

cve-icon Vulnrichment

Updated: 2025-04-24T19:52:23.165Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:41.173

Modified: 2026-04-23T15:30:07.827

Link: CVE-2025-46503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses