Impact
An administrator level Server Side Request Forgery (SSRF) flaw exists in PopAd versions 1.0.4 and earlier, permitting a privileged user to ask the server to fetch arbitrary URLs. The vulnerability can lead to disclosure of internal network resources, configuration data, or other sensitive information that the web host can reach, potentially enabling further exploitation such as privilege escalation or data exfiltration.
Affected Systems
All WordPress installations that use PopAd developed by vynnus version 1.0.4 or older are susceptible to the issue; any site hosting that plugin in a WordPress environment is affected.
Risk and Exploitability
The CVSS score of 4.4 indicates a medium severity, while an EPSS score of less than 1% reflects a low probability of active exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. Because the SSRF endpoints are available only through the WordPress administration interface, an attacker must have administrative access to trigger the flaw, after which they can supply a crafted URL and read the server’s response to target internal services or resources.
OpenCVE Enrichment