A Server‑Side Request Forgery (SSRF) flaw exists in the WordPress rajce plugin that allows an attacker to force the plugin to make arbitrary HTTP requests. The core weakness, identified as CWE‑918, could enable the attacker to access internal resources, discover hidden services, or exfiltrate data. The impact is limited to the reach of the server’s outbound network, but could be leveraged to facilitate further attacks such as internal scanning or lateral movement.

The vulnerability affects the vEnCa‑X rajce WordPress plugin versions up to and including 0.4.2. Any site running this plugin within that version range is potentially exposed.

The CVSS score of 4.9 indicates a moderate impact level. The EPSS score of less than 1% suggests that exploitation of this flaw is unlikely at the time of analysis, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector would be remote, with an attacker instructing the plugin to send arbitrary HTTP requests to internal or external resources. Nevertheless, because the flaw can expand an attacker’s network discovery capabilities, administrators should treat the risk as moderate and consider the potential for internal scanning or lateral movement.