Description
Server-Side Request Forgery (SSRF) vulnerability in kamleshyadav Exit Intent Popup exitintentpopup allows Server Side Request Forgery.This issue affects Exit Intent Popup: from n/a through <= 1.0.1.
Published: 2025-09-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Exit Intent Popup plugin contains a Server Side Request Forgery flaw that permits attackers to manipulate the plugin’s request handling logic to trigger HTTP requests to arbitrary URLs. An attacker could use this capability to reach internal addresses, read sensitive data, or perform denial‑of‑service actions against external services. The weakness is identified as CWE‑918.

Affected Systems

The vulnerability affects the kamleshyadav Exit Intent Popup WordPress plugin for versions up to and including 1.0.1. Any WordPress installation that loads this plugin in those versions is susceptible, regardless of the specific WordPress core version.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. The EPSS score is less than 1 %, suggesting a low probability of widespread exploitation at present. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated web request to the plugin’s exposed endpoint, requiring the site to be reachable by an external attacker. Successful exploitation would enable the attacker to initiate outbound connections from the vulnerable server.

Generated by OpenCVE AI on April 30, 2026 at 02:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Exit Intent Popup plugin to a version newer than 1.0.1 to eliminate the SSRF code path
  • If an update cannot be applied immediately, disable or uninstall the plugin to remove the vulnerable functionality
  • Restrict outbound HTTP traffic from the WordPress server with a firewall or network ACL so that the server cannot reach internal or sensitive addresses
  • Enable logging of outgoing HTTP requests from the server and review the logs for suspicious activity

Generated by OpenCVE AI on April 30, 2026 at 02:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26531 Server-Side Request Forgery (SSRF) vulnerability in kamleshyadav Exit Intent Popup allows Server Side Request Forgery. This issue affects Exit Intent Popup: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in kamleshyadav Exit Intent Popup allows Server Side Request Forgery. This issue affects Exit Intent Popup: from n/a through 1.0.1. Server-Side Request Forgery (SSRF) vulnerability in kamleshyadav Exit Intent Popup exitintentpopup allows Server Side Request Forgery.This issue affects Exit Intent Popup: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Wed, 03 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in kamleshyadav Exit Intent Popup allows Server Side Request Forgery. This issue affects Exit Intent Popup: from n/a through 1.0.1.
Title WordPress Exit Intent Popup Plugin <= 1.0.1 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:38:30.231Z

Reserved: 2025-09-03T09:03:12.362Z

Link: CVE-2025-58641

cve-icon Vulnrichment

Updated: 2025-09-03T17:19:14.956Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:47.737

Modified: 2026-04-23T15:33:30.607

Link: CVE-2025-58641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:45:16Z

Weaknesses