Server‑Side Request Forgery (SSRF) is disclosed in the bdthemes Prime Slider – Addons For Elementor plugin (bdthemes‑prime‑slider‑lite) for all releases up to version 4.0.10. The flaw allows an attacker to force the WordPress host to send arbitrary HTTP or HTTPS requests to internal or external resources, potentially revealing sensitive data or allowing further exploitation. The CVE reference does not detail how the malicious URLs are supplied; however, it is inferred that user‑controlled input is used to construct outbound requests without proper validation or filtering, which is the typical mechanism for SSRF attacks.

All installations of bdthemes Prime Slider – Addons For Elementor running versions from the initial release through 4.0.10 on WordPress are vulnerable. Versions thereafter are not known to contain the flaw.

The CVSS score of 4.9 indicates moderate severity, and the EPSS score of less than 1 % suggests low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need the WordPress site to be reachable and would likely send crafted requests through the plugin’s interface or a widget that triggers the server‑side HTTP request functionality. Once exploited, the host could reach internal network services, exfiltrate data, or be used as a pivot to launch additional attacks. The moderate CVSS score combined with the low EPSS rating means that while the risk is limited at present, the potential impact on confidentiality and availability warrants timely remediation.