Plateforme
wordpress
Composant
getcontentfromurl
Corrigé dans
1.0.1
CVE-2025-14613 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the GetContentFromURL plugin for WordPress. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to initiate web requests to arbitrary locations from the WordPress application. Versions 1.0.0 through 1.0 are affected, and a fix is pending.
The SSRF vulnerability in GetContentFromURL allows an attacker to craft malicious requests through the [gcfu] shortcode's 'url' parameter. Because the plugin utilizes wpremoteget() instead of the safer wpsaferemote_get(), it doesn't properly sanitize the user-supplied URL. This enables an attacker to make requests to internal services that are not directly accessible from the outside, potentially exposing sensitive data or allowing modification of internal configurations. A successful attack could lead to information disclosure, privilege escalation, or even remote code execution if internal services are vulnerable. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the WordPress server.
The vulnerability was publicly disclosed on 2026-01-14. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's impact is limited by the requirement for authenticated access (Contributor level or higher), reducing the immediate risk of widespread exploitation. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the GetContentFromURL plugin, particularly those with users having Contributor or higher access levels, are at risk. Shared hosting environments where users have limited control over plugin installations are also particularly vulnerable. Sites with legacy configurations or those lacking robust WAF protection are more susceptible to exploitation.
• wordpress / plugin: Use wp-cli to check plugin versions: wp plugin list --status=active. Look for GetContentFromURL versions prior to the patched version (once released).
• generic web: Monitor access logs for outbound requests to unusual or internal IP addresses originating from the WordPress server.
grep "gcfu shortcode" /var/log/apache2/access.log | grep "internal.domain.com" disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 2%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-14613 is to upgrade to a patched version of the GetContentFromURL plugin as soon as it becomes available. In the interim, several workarounds can be implemented. A Web Application Firewall (WAF) can be configured to block requests to suspicious or internal IP addresses. Additionally, restrict access to the [gcfu] shortcode to only trusted users. Consider implementing input validation on the 'url' parameter to prevent malicious URLs. Monitor WordPress access logs for unusual outbound requests originating from the plugin.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-14613 is a Server-Side Request Forgery vulnerability in the GetContentFromURL WordPress plugin, allowing authenticated users to make arbitrary web requests.
You are affected if your WordPress site uses the GetContentFromURL plugin in versions 1.0.0–1.0 and you have users with Contributor access or higher.
Upgrade to a patched version of the GetContentFromURL plugin as soon as it's available. Implement WAF rules or restrict access to the shortcode as a temporary workaround.
There is no confirmed active exploitation of CVE-2025-14613 at this time, but the vulnerability is publicly known.
Check the GetContentFromURL plugin's official website or WordPress plugin repository for updates and security advisories.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.