Platform
wordpress
Component
popup-builder-block
Fixed in
2.1.5
CVE-2025-10861 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress. This vulnerability allows unauthenticated attackers to initiate web requests on behalf of the application, potentially accessing internal resources and performing reconnaissance. The vulnerability affects versions from 0.0.0 through 2.1.4, with a partial fix implemented in version 2.1, and a complete resolution in version 2.1.5.
The SSRF vulnerability in the Popup Builder plugin allows attackers to craft malicious URLs that the plugin will then request. This can be exploited to access internal services that are not directly accessible from the outside world, such as administrative dashboards, databases, or other internal APIs. An attacker could potentially query sensitive information, modify data, or even gain a foothold within the internal network. The lack of authentication requirements means that any user, even without a WordPress account, can trigger these requests. This vulnerability presents a significant risk to WordPress sites utilizing this plugin, especially those with sensitive internal services.
This vulnerability is publicly disclosed and documented in the NVD. While no active exploitation campaigns have been definitively linked to CVE-2025-10861 at the time of writing, the SSRF nature of the vulnerability makes it a potential target for automated scanning and exploitation. The relatively wide range of affected versions (0.0.0 – 2.1.4) increases the potential attack surface. It has not been added to the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-10861 is to immediately upgrade the Popup Builder plugin to version 2.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URLs or patterns indicative of SSRF exploitation. Additionally, review and restrict access to internal services to minimize the potential impact of a successful SSRF attack. Monitor WordPress access logs for unusual outbound requests originating from the plugin.
Update the 'Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers' plugin to version 2.1.5 or higher to mitigate the Server-Side Request Forgery (SSRF) vulnerability. This update corrects the insufficient URL validation, preventing attackers from making arbitrary web requests from the application.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10861 is a Server-Side Request Forgery vulnerability affecting the Popup Builder WordPress plugin, allowing attackers to make requests on behalf of the application.
You are affected if you are using the Popup Builder plugin in WordPress versions 0.0.0 through 2.1.4. Upgrade to 2.1.5 or later to resolve the issue.
Upgrade the Popup Builder plugin to version 2.1.5 or later. Consider implementing a WAF rule as a temporary workaround if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are currently known, the SSRF nature of the vulnerability makes it a potential target for automated scanning and exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.