The vulnerability exists in the BoldGrid Post and Page Builder by BoldGrid Visual Drag and Drop Editor plugin for WordPress versions up to and including 1.27.8. It allows an attacker to forge HTTP requests from the server via the plugin’s functionality, potentially enabling the retrieval of internal resources or the execution of arbitrary actions on the network. The flaw is a classic Server‑Side Request Forgery (CWE‑918) that compromises confidentiality and integrity of internal systems and could impact the availability of network services if abused. This vulnerability does not provide direct code execution but can be leveraged to bypass network isolation and access privileged data.

WordPress sites that have installed the BoldGrid Post and Page Builder by BoldGrid plugin, any version from the earliest available release through 1.27.8. Site administrators should verify the plugin version and confirm that they are not running a vulnerable release.

The CVSS score of 6.4 indicates a moderate severity, while an EPSS score of less than 1% suggests a low exploitation probability. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, implying that no widespread exploitation has been documented to date. However, the attack vector can be achieved via the web interface of the plugin, so an attacker who can craft requests to the WordPress admin area may exploit the flaw remotely. Because SSRF can allow access to internal resources, the impact can be significant if the internal network hosts sensitive services.