In the Solace Extra WordPress plugin, a Server Side Request Forgery (SSRF) vulnerability allows an attacker to trigger outbound HTTP requests from the web server. An attacker can supply arbitrary URLs that the plugin then fetches, enabling potential exposure of internal network services or unauthorized data exfiltration. This weakness is identified as CWE–918 and can compromise confidentiality by retrieving sensitive resources that are otherwise inaccessible from the public Internet.

The vulnerability is present in the Solace Extra plugin for WordPress, affecting all releases up to and including version 1.3.2. Systems running any of those versions, without an update, are susceptible.

The CVSS v3 score of 4.4 indicates a medium level of impact, but the EPSS score is below 1%, suggesting low current exploitation prevalence. The plugin is likely publicly accessible via WordPress sites, so an external attacker can trigger the SSRF by interacting with the plugin’s exposed endpoint. The issue is not listed in CISA’s KEV catalog, but the potential for unauthenticated attackers to read internal resources makes prompt remediation advisable.