Description
The Amazon Products to WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.7 via the wcta2w_get_urls(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-07-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery allows unauthenticated attackers to issue arbitrary requests from the application, enabling potential disclosure or modification of internal resources.
Action: Patch Now
AI Analysis

Impact

The Amazon Products to WooCommerce WordPress plugin is vulnerable to a server‑side request forgery (CWE‑918) in all releases through 1.2.7. The flaw is triggered via the wcta2w_get_urls() function, which processes user‑supplied URLs without proper validation. An unauthenticated attacker can use this to cause the server to fetch any target host, including internal network services, thereby exposing or altering sensitive data. This can compromise confidentiality, integrity, and availability of internal systems.

Affected Systems

WordPress sites that have the Amazon Products to WooCommerce plugin installed from the vendor suhailahmad64, in any version up to and including 1.2.7. The vulnerability is specific to that plugin and does not affect core WordPress or other plugins.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% shows a very low current exploitation probability; the vulnerability is not flagged in the CISA KEV catalog. Attack requires no special credentials or privileged access—it exploits an unauthenticated endpoint that can be queried by any external user. Consequently, a remote attacker can trigger the plugin to reach arbitrary URLs from the server, facilitating attacks such as internal port scanning, data exfiltration, or altering internal service state. The lack of network segmentation or firewall restrictions ups the risk of internal resource exposure.

Generated by OpenCVE AI on April 21, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Amazon Products to WooCommerce to the latest version that includes the fix (any release newer than 1.2.7).
  • If an update cannot be applied immediately, deactivate the plugin to stop the vulnerable endpoint from being accessible.
  • Configure a firewall or security plugin to block outbound HTTP(S) requests from the WordPress application, limiting the plugin’s ability to contact arbitrary hosts.

Generated by OpenCVE AI on April 21, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19680 The Amazon Products to WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.7 via the wcta2w_get_urls(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
History

Wed, 16 Jul 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Suhailahmad64
Suhailahmad64 amazon Products To Woocommerce
CPEs cpe:2.3:a:suhailahmad64:amazon_products_to_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Suhailahmad64
Suhailahmad64 amazon Products To Woocommerce

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Amazon Products to WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.7 via the wcta2w_get_urls(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Amazon Products to WooCommerce <= 1.2.7 - Unauthenticated Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Suhailahmad64 Amazon Products To Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:16.632Z

Reserved: 2025-06-06T16:38:33.740Z

Link: CVE-2025-5817

cve-icon Vulnrichment

Updated: 2025-07-02T13:05:22.402Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T04:15:58.783

Modified: 2025-07-16T15:53:33.513

Link: CVE-2025-5817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses