Platform
wordpress
Component
fwduvp
Fixed in
10.1.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in FWDesign Ultimate Video Player. This flaw allows attackers to manipulate the application into making requests to unintended internal or external resources, potentially exposing sensitive data or enabling unauthorized access. The vulnerability impacts versions from 0.0.0 through 10.1, and a patch is available in version 10.1.1.
The SSRF vulnerability in Ultimate Video Player allows an attacker to craft malicious requests that the application will execute on behalf of the server. This can lead to several severe consequences. An attacker could potentially scan internal networks for open ports and services, access sensitive data stored on internal servers (e.g., configuration files, databases), or even interact with internal APIs without proper authentication. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the server hosting the plugin. While not directly exploitable for remote code execution, SSRF can be a stepping stone for further attacks if internal systems are vulnerable.
This vulnerability was publicly disclosed on 2025-09-09. Currently, there are no known active campaigns targeting this specific SSRF vulnerability. No public proof-of-concept exploits have been released as of this writing, but the SSRF nature of the vulnerability makes it a likely target for automated scanning and exploitation. Its inclusion on the CISA KEV catalog is pending.
Exploit Status
EPSS
0.04% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49430 is to immediately upgrade Ultimate Video Player to version 10.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with rules to block suspicious outbound requests. Specifically, configure the WAF to filter requests with unusual hostnames or protocols. Additionally, restrict the plugin's access to internal resources by implementing network segmentation and access control lists. After upgrading, confirm the fix by attempting to trigger an SSRF request and verifying that it is blocked.
Update the Ultimate Video Player plugin to the latest available version to mitigate the SSRF vulnerability. Check for updates in the WordPress repository or on the developer's website. Implement additional security measures, such as input validation and restriction of access to sensitive resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49430 is a Server-Side Request Forgery vulnerability in Ultimate Video Player allowing attackers to make requests on behalf of the server, potentially accessing internal resources. It affects versions 0.0.0–10.1.
You are affected if your WordPress site uses Ultimate Video Player versions 0.0.0 through 10.1. Check your plugin versions and upgrade immediately if vulnerable.
Upgrade Ultimate Video Player to version 10.1.1 or later to resolve the SSRF vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is impossible.
As of now, there are no confirmed active exploitation campaigns targeting CVE-2025-49430, but its SSRF nature makes it a potential target.
Refer to the FWDesign website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-49430.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.