Platform
wordpress
Component
getcontentfromurl
Fixed in
1.0.1
CVE-2025-14613 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the GetContentFromURL plugin for WordPress. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to initiate web requests to arbitrary locations from the WordPress application. Versions 1.0.0 through 1.0 are affected, and a fix is pending.
The SSRF vulnerability in GetContentFromURL allows an attacker to craft malicious requests through the [gcfu] shortcode's 'url' parameter. Because the plugin utilizes wpremoteget() instead of the safer wpsaferemote_get(), it doesn't properly sanitize the user-supplied URL. This enables an attacker to make requests to internal services that are not directly accessible from the outside, potentially exposing sensitive data or allowing modification of internal configurations. A successful attack could lead to information disclosure, privilege escalation, or even remote code execution if internal services are vulnerable. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the WordPress server.
The vulnerability was publicly disclosed on 2026-01-14. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's impact is limited by the requirement for authenticated access (Contributor level or higher), reducing the immediate risk of widespread exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14613 is to upgrade to a patched version of the GetContentFromURL plugin as soon as it becomes available. In the interim, several workarounds can be implemented. A Web Application Firewall (WAF) can be configured to block requests to suspicious or internal IP addresses. Additionally, restrict access to the [gcfu] shortcode to only trusted users. Consider implementing input validation on the 'url' parameter to prevent malicious URLs. Monitor WordPress access logs for unusual outbound requests originating from the plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14613 is a Server-Side Request Forgery vulnerability in the GetContentFromURL WordPress plugin, allowing authenticated users to make arbitrary web requests.
You are affected if your WordPress site uses the GetContentFromURL plugin in versions 1.0.0–1.0 and you have users with Contributor access or higher.
Upgrade to a patched version of the GetContentFromURL plugin as soon as it's available. Implement WAF rules or restrict access to the shortcode as a temporary workaround.
There is no confirmed active exploitation of CVE-2025-14613 at this time, but the vulnerability is publicly known.
Check the GetContentFromURL plugin's official website or WordPress plugin repository for updates and security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.