Description
Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes allows Server Side Request Forgery. This issue affects WP Pipes: from n/a through 1.4.2.
Published: 2025-05-07
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Server‑Side Request Forgery flaw exists in the ThimPress WP Pipes plugin. The vulnerability, classified as CWE‑918, allows an attacker to cause the vulnerable WordPress instance to issue arbitrary HTTP requests on the attacker's behalf. This can enable the attacker to reach internal network resources or contact external services, thereby compromising confidentiality and availability of internal assets. The plugin does not restrict or validate the target URLs, and the flaw can be triggered via standard web interfaces.

Affected Systems

WordPress sites that use the ThimPress WP Pipes plugin up to and including version 1.4.2 are affected. Any site installing a vulnerable version of the plugin should treat its installation as susceptible to SSRF exploitation.

Risk and Exploitability

The CVSS score of 4.4 places the flaw in the moderate severity range, and the EPSS score of less than 1% indicates a low probability of widespread exploitation as of the latest data. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is through web requests to the plugin's interface, where unsanitized URLs are processed. Successful exploitation would allow unauthorized access to internal hosts or service endpoints that the WordPress server can reach.

Generated by OpenCVE AI on April 30, 2026 at 13:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Pipes plugin to any release newer than version 1.4.2.
  • If an upgrade is not immediately possible, disable the WP Pipes plugin until a patch is applied to eliminate SSRF surface area.
  • Configure input validation for the plugin to reject URLs pointing to private or loopback addresses, implementing the recommended safeguards for CWE‑918 to prevent the plugin from making unauthorized outbound requests.

Generated by OpenCVE AI on April 30, 2026 at 13:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13735 Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes allows Server Side Request Forgery. This issue affects WP Pipes: from n/a through 1.4.2.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes wp-pipes allows Server Side Request Forgery.This issue affects WP Pipes: from n/a through <= 1.4.3. Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes allows Server Side Request Forgery. This issue affects WP Pipes: from n/a through 1.4.2.
Title WordPress WP Pipes plugin <= 1.4.3 - Server Side Request Forgery (SSRF) Vulnerability WordPress WP Pipes <= 1.4.2 - Server Side Request Forgery (SSRF) Vulnerability
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes allows Server Side Request Forgery. This issue affects WP Pipes: from n/a through 1.4.2. Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes wp-pipes allows Server Side Request Forgery.This issue affects WP Pipes: from n/a through <= 1.4.3.
Title WordPress WP Pipes <= 1.4.2 - Server Side Request Forgery (SSRF) Vulnerability WordPress WP Pipes plugin <= 1.4.3 - Server Side Request Forgery (SSRF) Vulnerability
References

Wed, 26 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:thimpress:wp_pipes:*:*:*:*:*:wordpress:*:*

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00033}

 epss

{'score': 0.00035}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes allows Server Side Request Forgery. This issue affects WP Pipes: from n/a through 1.4.2.
Title WordPress WP Pipes <= 1.4.2 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Thimpress Wp Pipes
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.648Z

Reserved: 2025-05-07T10:45:20.229Z

Link: CVE-2025-47664

cve-icon Vulnrichment

Updated: 2025-05-07T17:19:02.488Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:18.777

Modified: 2026-04-28T19:32:31.927

Link: CVE-2025-47664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:15:37Z

Weaknesses