Description
Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks zoloblocks allows Server Side Request Forgery.This issue affects ZoloBlocks: from n/a through <= 2.3.11.
Published: 2025-09-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SSRF flaw in the bdthemes ZoloBlocks WordPress plugin enables an attacker to coerce the server into making arbitrary HTTP requests. The vulnerability allows the construction of request URLs that can target internal resources, potentially enabling sensitive data discovery, lateral movement, or the exploitation of other services exposed only to the local network. The provided description does not specify an authentication requirement, so this flaw may be exploitable by any user who can trigger the plugin’s network‑related logic.

Affected Systems

The affected product is the WordPress plugin ZoloBlocks from bdthemes. Versions from the earliest available through 2.3.11 are impacted. No patch is currently listed for newer releases; administrators should verify whether an updated version exists beyond 2.3.11.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium‑to‑high severity, while the EPSS score of <1% suggests that active exploitation is unlikely at present. The flaw is not in CISA’s KEV catalog. An attacker could leverage the SSRF via the plugin’s network functions, sending requests to arbitrary URLs, which could map internal network structure or access restricted services. This attack vector is network‑based, requiring the ability to trigger the plugin logic from a web request.

Generated by OpenCVE AI on April 29, 2026 at 23:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the bdthemes ZoloBlocks plugin to a version newer than 2.3.11, which removes the SSRF vulnerability.
  • If an update is not yet available, disable the ZoloBlocks plugin until the vendor releases a patch.
  • Implement network controls that restrict the WordPress instance’s outbound connections to known, trusted domains, limiting the impact of any remaining SSRF exploitation.

Generated by OpenCVE AI on April 29, 2026 at 23:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31244 Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks allows Server Side Request Forgery. This issue affects ZoloBlocks: from n/a through 2.3.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in BdThemes ZoloBlocks zoloblocks allows Server Side Request Forgery.This issue affects ZoloBlocks: from n/a through 2.3.11. Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks zoloblocks allows Server Side Request Forgery.This issue affects ZoloBlocks: from n/a through <= 2.3.11.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Thu, 09 Oct 2025 14:30:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks allows Server Side Request Forgery. This issue affects ZoloBlocks: from n/a through 2.3.9. Server-Side Request Forgery (SSRF) vulnerability in BdThemes ZoloBlocks zoloblocks allows Server Side Request Forgery.This issue affects ZoloBlocks: from n/a through 2.3.11.
Title WordPress ZoloBlocks Plugin <= 2.3.9 - Server Side Request Forgery (SSRF) Vulnerability WordPress ZoloBlocks Plugin <= 2.3.11 - Server Side Request Forgery (SSRF) Vulnerability

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks allows Server Side Request Forgery. This issue affects ZoloBlocks: from n/a through 2.3.9.
Title WordPress ZoloBlocks Plugin <= 2.3.9 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:56.338Z

Reserved: 2025-09-25T15:28:09.601Z

Link: CVE-2025-60161

cve-icon Vulnrichment

Updated: 2025-09-26T16:56:58.049Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:45.473

Modified: 2026-04-23T15:34:20.063

Link: CVE-2025-60161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses