Description
Server-Side Request Forgery (SSRF) vulnerability in TeconceTheme Allmart allmart-core allows Server Side Request Forgery.This issue affects Allmart: from n/a through <= 1.0.0.
Published: 2025-07-04
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Allmart WordPress plugin contains a Server Side Request Forgery flaw that lets an attacker supply arbitrary URLs to be fetched by the server. By exploiting this, a malicious party can force the web application to request any external or internal resource, potentially revealing sensitive data or facilitating covert data exfiltration. The vulnerability is tied to CWE‑918 and can be used to bypass network boundaries when outbound restrictions are absent.

Affected Systems

WordPress sites that have installed the TeconceTheme Allmart Allmart‑Core plugin at any version up to and including 1.0.0 are affected. The issue applies to all releases from the earliest available build through 1.0.0, so site administrators should check the installed version and upgrade if a patched release is available.

Risk and Exploitability

The CVSS score of 7.2 classifies this issue as high severity. EPSS is below 1 % indicating a low historical exploitation probability, and the vulnerability is not listed in CISA KEV. However, the attack can be launched remotely via the plugin’s request endpoint, and once triggered the server may retrieve internal or external resources, exposing sensitive data or providing a foothold into the internal network.

Generated by OpenCVE AI on April 30, 2026 at 09:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Allmart plugin to a version that contains the SSRF fix or uninstall the plugin if no update is available
  • If an immediate update is unavailable, block the plugin’s outbound network traffic to internal IP ranges or non‑HTTPS destinations using firewall or web server rules
  • Monitor web server logs for anomalous outbound requests originating from WordPress and audit Any exposed plugin endpoints

Generated by OpenCVE AI on April 30, 2026 at 09:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20010 Server-Side Request Forgery (SSRF) vulnerability in TeconceTheme Allmart allows Server Side Request Forgery. This issue affects Allmart: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in TeconceTheme Allmart allows Server Side Request Forgery. This issue affects Allmart: from n/a through 1.0.0. Server-Side Request Forgery (SSRF) vulnerability in TeconceTheme Allmart allmart-core allows Server Side Request Forgery.This issue affects Allmart: from n/a through <= 1.0.0.
Title WordPress Allmart <= 1.0.0 - Server Side Request Forgery (SSRF) Vulnerability WordPress Allmart plugin <= 1.0.0 - Server Side Request Forgery (SSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in TeconceTheme Allmart allows Server Side Request Forgery. This issue affects Allmart: from n/a through 1.0.0.
Title WordPress Allmart <= 1.0.0 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.195Z

Reserved: 2025-06-04T15:44:22.452Z

Link: CVE-2025-49418

cve-icon Vulnrichment

Updated: 2025-07-08T14:00:11.776Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:31.247

Modified: 2026-04-23T15:31:38.893

Link: CVE-2025-49418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:00:16Z

Weaknesses