Description
Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.
Published: 2026-06-15
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An administrator level Server Side Request Forgery (SSRF) flaw exists in PopAd versions 1.0.4 and earlier, permitting a privileged user to ask the server to fetch arbitrary URLs. The vulnerability can lead to disclosure of internal network resources, configuration data, or other sensitive information that the web host can reach, potentially enabling further exploitation such as privilege escalation or data exfiltration.

Affected Systems

All WordPress installations that use PopAd developed by vynnus version 1.0.4 or older are susceptible to the issue; any site hosting that plugin in a WordPress environment is affected.

Risk and Exploitability

The CVSS score of 4.4 indicates a medium severity, while an EPSS score of less than 1% reflects a low probability of active exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. Because the SSRF endpoints are available only through the WordPress administration interface, an attacker must have administrative access to trigger the flaw, after which they can supply a crafted URL and read the server’s response to target internal services or resources.

Generated by OpenCVE AI on June 17, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PopAd plugin to a version newer than 1.0.4 to remove the SSRF flaw.
  • If a patch is not available, apply an outbound request whitelist or block the WordPress process from making arbitrary HTTP requests using a firewall or application layer rule.
  • Restrict access to the WordPress admin panel and PopAd configuration settings to trusted administrators, limiting the number of users who can invoke the vulnerable endpoint.

Generated by OpenCVE AI on June 17, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Vynnus
Vynnus popad
Wordpress
Wordpress wordpress
Vendors & Products Vynnus
Vynnus popad
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.
Title WordPress PopAd Plugin <= 1.0.4 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:17:26.674Z

Reserved: 2025-09-25T15:28:19.138Z

Link: CVE-2025-60175

cve-icon Vulnrichment

Updated: 2026-06-16T14:17:20.847Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:38.060

Modified: 2026-06-15T21:24:32.790

Link: CVE-2025-60175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:08:11Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)