Platform
wordpress
Component
import-products-to-wc
Fixed in
1.2.8
CVE-2025-5817 is a Server-Side Request Forgery (SSRF) vulnerability discovered in the Amazon Products to WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to initiate web requests to arbitrary locations, potentially exposing sensitive internal resources. The vulnerability impacts versions 1.0.0 through 1.2.7, and a patch is available in version 1.2.8.
The SSRF vulnerability in Amazon Products to WooCommerce enables attackers to craft malicious requests that originate from the plugin itself. This can be exploited to query internal services that are not directly accessible from the outside world. An attacker could potentially retrieve sensitive data, modify configurations, or even trigger actions on internal systems. The blast radius extends to any internal resources accessible via HTTP or HTTPS from the WordPress server. This vulnerability is particularly concerning as it requires no authentication, making it easily exploitable by a wide range of attackers.
CVE-2025-5817 was publicly disclosed on 2025-07-02. No known public proof-of-concept exploits are currently available, but the SSRF nature of the vulnerability makes it likely that exploits will be developed. The EPSS score is currently pending evaluation, but the ease of exploitation suggests a potential for medium to high probability of exploitation. This vulnerability shares similarities with other SSRF vulnerabilities where attackers leverage plugins to bypass security controls.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-5817 is to immediately upgrade the Amazon Products to WooCommerce plugin to version 1.2.8 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to suspicious or internal IP addresses. Additionally, restrict network access to the WordPress server to only necessary ports and services. Regularly review WordPress plugin configurations and disable any unnecessary plugins to reduce the attack surface.
Update the Amazon Products to WooCommerce plugin to version 1.2.8 or higher to mitigate the Server-Side Request Forgery vulnerability. This update corrects how web requests are handled, preventing unauthenticated attackers from making malicious requests from the application.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-5817 is a Server-Side Request Forgery vulnerability affecting versions 1.0.0–1.2.7 of the Amazon Products to WooCommerce plugin, allowing attackers to make arbitrary web requests.
If you are using Amazon Products to WooCommerce version 1.0.0 through 1.2.7, you are affected by this vulnerability. Upgrade to 1.2.8 or later to mitigate the risk.
Upgrade the Amazon Products to WooCommerce plugin to version 1.2.8 or later. Consider implementing a WAF rule to block suspicious outbound requests as a temporary workaround.
While no public exploits are currently known, the SSRF nature of the vulnerability suggests a potential for exploitation. Monitor your systems for suspicious activity.
Refer to the official Amazon Products to WooCommerce plugin documentation and website for the latest security advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.