Plattform
wordpress
Komponente
allmart-core
Behoben in
1.0.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Allmart WordPress theme. This flaw allows attackers to manipulate the theme to make requests to unintended internal or external resources, potentially exposing sensitive data or facilitating unauthorized access. The vulnerability impacts versions 0.0 through 1.0.0 of the Allmart theme, and a patch is available in version 1.0.1.
The SSRF vulnerability in Allmart allows an attacker to craft malicious requests through the theme, tricking the server into making requests to arbitrary URLs. This could lead to the exposure of internal services and data that are not directly accessible from the outside. For example, an attacker might be able to scan internal network ranges, access administrative interfaces, or retrieve sensitive configuration files. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the WordPress server. Successful exploitation could also be leveraged for reconnaissance, gathering information about the internal network and identifying further attack vectors.
This vulnerability was publicly disclosed on 2025-07-04. Currently, there are no known public proof-of-concept exploits available. The CVSS score of 7.2 indicates a HIGH severity, suggesting a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites using the Allmart WordPress theme, particularly those with sensitive internal services or data accessible via HTTP/HTTPS, are at risk. Shared hosting environments where multiple websites share the same server infrastructure are also at increased risk, as a compromised Allmart installation on one site could potentially be used to attack other sites on the same server.
• wordpress / composer / npm:
grep -r 'http://' /var/www/html/wp-content/themes/allmart-core/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/themes/allmart-core/ | grep -i 'server:'disclosure
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49418 is to immediately upgrade the Allmart WordPress theme to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to suspicious URLs or restrict outbound connections from the WordPress server. Additionally, review and restrict any outbound network access from the WordPress server to only necessary destinations. Monitor WordPress access logs for unusual outbound requests originating from the Allmart theme.
Actualice el plugin Allmart a la última versión disponible para mitigar la vulnerabilidad de SSRF. Verifique las actualizaciones del plugin en el panel de administración de WordPress o en el repositorio oficial de plugins de WordPress. Implemente medidas de seguridad adicionales, como la validación de entradas y la restricción de acceso a recursos sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49418 is a Server-Side Request Forgery vulnerability affecting the Allmart WordPress theme, allowing attackers to make requests to unintended resources.
If you are using the Allmart WordPress theme versions 0.0 through 1.0.0, you are affected by this vulnerability.
Upgrade the Allmart WordPress theme to version 1.0.1 or later to resolve the SSRF vulnerability. Consider WAF rules as a temporary workaround.
Currently, there are no confirmed reports of active exploitation, but the HIGH severity score indicates a potential risk.
Refer to the Allmart theme developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.