Platform
wordpress
Component
allmart-core
Fixed in
1.0.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Allmart WordPress theme. This flaw allows attackers to manipulate the theme to make requests to unintended internal or external resources, potentially exposing sensitive data or facilitating unauthorized access. The vulnerability impacts versions 0.0 through 1.0.0 of the Allmart theme, and a patch is available in version 1.0.1.
The SSRF vulnerability in Allmart allows an attacker to craft malicious requests through the theme, tricking the server into making requests to arbitrary URLs. This could lead to the exposure of internal services and data that are not directly accessible from the outside. For example, an attacker might be able to scan internal network ranges, access administrative interfaces, or retrieve sensitive configuration files. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the WordPress server. Successful exploitation could also be leveraged for reconnaissance, gathering information about the internal network and identifying further attack vectors.
This vulnerability was publicly disclosed on 2025-07-04. Currently, there are no known public proof-of-concept exploits available. The CVSS score of 7.2 indicates a HIGH severity, suggesting a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49418 is to immediately upgrade the Allmart WordPress theme to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to suspicious URLs or restrict outbound connections from the WordPress server. Additionally, review and restrict any outbound network access from the WordPress server to only necessary destinations. Monitor WordPress access logs for unusual outbound requests originating from the Allmart theme.
Update the Allmart plugin to the latest available version to mitigate the SSRF vulnerability. Check for plugin updates in the WordPress admin panel or the official WordPress plugin repository. Implement additional security measures, such as input validation and restricting access to sensitive resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49418 is a Server-Side Request Forgery vulnerability affecting the Allmart WordPress theme, allowing attackers to make requests to unintended resources.
If you are using the Allmart WordPress theme versions 0.0 through 1.0.0, you are affected by this vulnerability.
Upgrade the Allmart WordPress theme to version 1.0.1 or later to resolve the SSRF vulnerability. Consider WAF rules as a temporary workaround.
Currently, there are no confirmed reports of active exploitation, but the HIGH severity score indicates a potential risk.
Refer to the Allmart theme developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.