Description
Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.
Published: 2025-12-09
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Server‑Side Request Forgery in the ThemesInflow Hercules Core WordPress plugin, affecting all releases up to and including version 7.4. The flaw allows an attacker to trigger arbitrary HTTP requests from the web server to URLs supplied through the plugin, and is classified as CWE‑918, indicating insufficient validation of external URLs.

Affected Systems

Affects the ThemesInflow Hercules Core WordPress plugin. All releases from the earliest available version through 7.4 are impacted. No specific patch level is listed; upgrading to a newer version than 7.4 is required to remove the flaw.

Risk and Exploitability

The CVSS score of 4.9 denotes moderate severity, and the very low EPSS (<1%) indicates that widespread exploitation is unlikely. The flaw is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability by supplying a crafted request to the plugin that causes the server to send outbound HTTP requests to arbitrary resources, a typical SSRF attack scenario.

Generated by OpenCVE AI on April 29, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hercules Core to a version above 7.4 to eliminate the flaw.
  • If an upgrade is not immediately possible, configure the plugin or a proxy to block external HTTP requests and restrict outbound traffic from the web server.
  • Monitor server logs and firewall rules for anomalous outbound requests and review network traffic for unexpected internal resource access.

Generated by OpenCVE AI on April 29, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.
Title WordPress Hercules Core plugin <= 7.4 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:08.670Z

Reserved: 2025-10-24T14:25:34.657Z

Link: CVE-2025-63010

cve-icon Vulnrichment

Updated: 2025-12-10T11:24:33.309Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:06.450

Modified: 2026-04-27T19:16:17.727

Link: CVE-2025-63010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:00:14Z

Weaknesses