Description
Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress activity-link-preview-for-buddypress allows Server Side Request Forgery.This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through <= 1.4.4.
Published: 2025-05-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server-side request forgery vulnerability in Wbcom Designs - Activity Link Preview For BuddyPress allows an attacker to trigger the WordPress server to make arbitrary HTTP, HTTPS, or NTLM requests. The flaw arises from insufficient validation of URLs supplied in activity preview requests and is classified as CWE‑918. Successful exploitation can lead the plugin to contact internal or external resources, potentially exposing sensitive data, accessing privileged endpoints, or exfiltrating information. The impact is limited to the server hosting WordPress and any services reachable from that environment; the vulnerability does not provide direct code execution but can facilitate data discovery or further attacks.

Affected Systems

WordPress sites that have installed Varun Dubey Wbcom Designs – Activity Link Preview For BuddyPress version 1.4.4 or earlier. The plugin expresses the flaw across all supported WordPress versions. No specific WordPress core versions are excluded; any WordPress installation using this plugin is affected.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score of less than 1% suggests a low predicted exploitation likelihood. Because the plugin does not require elevated privileges to trigger the SSRF, an unauthenticated attacker can exploit the flaw through crafted activity links, though the exact attack vector is inferred from the plugin’s functionality. The vulnerability is not listed in the CISA KEV catalog, meaning it has not been reported as known to be exploited in the wild at the time of this analysis.

Generated by OpenCVE AI on April 30, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade "Activity Link Preview For BuddyPress" to the latest available version where the SSRF bug is fixed
  • If an upgrade is not immediately feasible, disable or remove the plugin from the WordPress site to eliminate the flaw
  • Implement outbound request filtering or a web application firewall to block untrusted external calls originating from the WordPress application

Generated by OpenCVE AI on April 30, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13788 Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress allows Server Side Request Forgery. This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through 1.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress allows Server Side Request Forgery. This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through 1.4.4. Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress activity-link-preview-for-buddypress allows Server Side Request Forgery.This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through <= 1.4.4.
Title WordPress Wbcom Designs - Activity Link Preview For BuddyPress <= 1.4.4 - Server Side Request Forgery (SSRF) Vulnerability WordPress Wbcom Designs - Activity Link Preview For BuddyPress plugin <= 1.4.4 - Server Side Request Forgery (SSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00042}

 epss

{'score': 0.00044}

Mon, 12 May 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wbcomdesigns
Wbcomdesigns activity Link Preview For Buddypress
CPEs cpe:2.3:a:wbcomdesigns:activity_link_preview_for_buddypress:*:*:*:*:*:wordpress:*:*
Vendors & Products Wbcomdesigns
Wbcomdesigns activity Link Preview For Buddypress

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress allows Server Side Request Forgery. This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through 1.4.4.
Title WordPress Wbcom Designs - Activity Link Preview For BuddyPress <= 1.4.4 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wbcomdesigns Activity Link Preview For Buddypress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.572Z

Reserved: 2025-05-07T09:40:00.789Z

Link: CVE-2025-47548

cve-icon Vulnrichment

Updated: 2025-05-07T17:20:17.277Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:11.647

Modified: 2026-04-23T15:30:27.910

Link: CVE-2025-47548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:30:15Z

Weaknesses