Description
Server-Side Request Forgery (SSRF) vulnerability in publitio Publitio publitio allows Server Side Request Forgery.This issue affects Publitio: from n/a through <= 2.2.1.
Published: 2025-09-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Server‑Side Request Forgery vulnerability in the Publitio plugin enables the plugin to issue HTTP requests to arbitrary URLs. This flaw could potentially expose internal resources or leak credentials, but no remote code execution is explicitly documented. The weakness is identified as CWE‑918.

Affected Systems

This vulnerability applies to all installations of the Publitio plugin version 2.2.1 or earlier. WordPress sites using any of these releases are potentially exposed, regardless of the site’s custom configurations. The flaw originates from the plugin’s 'publitio' component.

Risk and Exploitability

The CVSS score of 6.4 points to a moderate to high risk, but the EPSS score of less than 1 % indicates a low probability of current exploitation. The advisory does not list the vulnerability in the CISA KEV catalogue. Exploitation requires remote access to the WordPress site’s admin interface or user‑generated content that triggers the SSRF endpoint. Based on the description, it is inferred that an attacker could supply a crafted URL parameter to force the plugin to reach internal services.

Generated by OpenCVE AI on April 30, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Publitio plugin to the latest revision that fixes the SSRF issue.
  • If an upgrade cannot be performed immediately, deactivate or delete the plugin from the site to remove the vulnerable code path.
  • Restrict outbound network traffic from the WordPress host so that the plugin can reach only approved external endpoints, limiting any remaining SSRF exploitation potential.

Generated by OpenCVE AI on April 30, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30497 Server-Side Request Forgery (SSRF) vulnerability in publitio Publitio allows Server Side Request Forgery. This issue affects Publitio: from n/a through 2.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in publitio Publitio allows Server Side Request Forgery. This issue affects Publitio: from n/a through 2.2.1. Server-Side Request Forgery (SSRF) vulnerability in publitio Publitio publitio allows Server Side Request Forgery.This issue affects Publitio: from n/a through <= 2.2.1.
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Tue, 23 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in publitio Publitio allows Server Side Request Forgery. This issue affects Publitio: from n/a through 2.2.1.
Title WordPress Publitio Plugin <= 2.2.1 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.395Z

Reserved: 2025-09-06T04:45:02.779Z

Link: CVE-2025-58962

cve-icon Vulnrichment

Updated: 2025-09-23T17:47:45.725Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:22.200

Modified: 2026-04-23T15:33:57.313

Link: CVE-2025-58962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses