Description
The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-08-15
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The Quttera Web Malware Scanner plugin for WordPress contains a Server‑Side Request Forgery flaw. The RunExternalScan functionality allows an authenticated user with Administrator privileges to instruct the web application to send HTTP requests to arbitrary URLs. An attacker can leverage this to probe internal network services or modify data accessed by the plugin, potentially exposing sensitive information or enabling further compromise.

Affected Systems

The vulnerability affects the Quttera ThreatSign – Web Malware Scanner for WordPress plugin in all releases up to and including version 3.5.1.41. Systems running any older version of WordPress that have this plugin installed with administrator access are impacted.

Risk and Exploitability

The CVSS score of 3.8 indicates low severity, and the EPSS score of less than 1 % shows a very low likelihood of exploitation at present. The issue is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited. Exploitability requires a valid administrator account and access to the plugin's external scan feature; once authenticated, an attacker can initiate internal requests and potentially gather or manipulate data from protected services.

Generated by OpenCVE AI on April 21, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quttera Web Malware Scanner plugin to the latest version where the SSRF issue has been fixed (any release newer than 3.5.1.41).
  • If an upgrade is temporarily infeasible, restrict the RunExternalScan capability by modifying the plugin's role permissions to deny administrator access to this function or by disabling the feature entirely.
  • Apply network-level controls to block outbound connections from the WordPress application to internal IP ranges or untrusted addresses, thereby limiting the impact of any remaining SSRF vulnerabilities.

Generated by OpenCVE AI on April 21, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24993 The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
History

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Quttera
Quttera quttera Web Malware Scanner
Wordpress
Wordpress wordpress
Vendors & Products Quttera
Quttera quttera Web Malware Scanner
Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Quttera Web Malware Scanner <= 3.5.1.41 - Authenticated (Administrator+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Quttera Quttera Web Malware Scanner
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:26.781Z

Reserved: 2025-07-22T00:27:02.341Z

Link: CVE-2025-8013

cve-icon Vulnrichment

Updated: 2025-08-15T12:10:06.526Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T07:15:28.963

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:45:27Z

Weaknesses