プラットフォーム
wordpress
コンポーネント
oxygen
修正版
6.0.9
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Laborator Oxygen WordPress plugin. This flaw allows attackers to manipulate the plugin into making requests to arbitrary internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability impacts versions from 0.0.0 up to and including 6.0.8. A fix is expected in a future release.
The SSRF vulnerability in Laborator Oxygen allows an attacker to craft malicious requests that the plugin will execute on behalf of the server. This can be exploited to access internal services that are not directly exposed to the internet, such as databases, administrative panels, or other internal APIs. Successful exploitation could lead to data breaches, privilege escalation, and even complete system compromise. The attacker could potentially scan internal networks, read sensitive configuration files, or even interact with other internal systems, expanding the blast radius of the attack. While no direct precedent exists for this specific plugin, SSRF vulnerabilities are frequently exploited to bypass security controls and gain unauthorized access to sensitive data.
The vulnerability was publicly disclosed on 2026-02-20. There is no indication of this vulnerability being listed on KEV or having a high EPSS score at this time. No public proof-of-concept exploits are currently known, but the SSRF nature of the vulnerability makes it likely that one will emerge. Monitor security advisories and vulnerability databases for updates.
WordPress websites utilizing the Laborator Oxygen plugin, particularly those with sensitive internal services accessible from the web server, are at risk. Shared hosting environments where Oxygen is installed are also vulnerable, as a compromised Oxygen instance could potentially impact other websites on the same server.
• wordpress / composer / npm:
grep -r 'http_request' /var/www/html/wp-content/plugins/oxygen/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/oxygen/ | grep Serverエクスプロイト状況
EPSS
0.03% (10% パーセンタイル)
CISA SSVC
CVSS ベクトル
Due to the lack of a provided fixed version, immediate mitigation strategies are crucial. As a temporary workaround, implement strict input validation on any URLs or URIs processed by the Oxygen plugin. Consider using a Web Application Firewall (WAF) with SSRF protection rules to block malicious requests. Restrict network access for the Oxygen plugin to only the necessary resources. Regularly monitor Oxygen plugin logs for suspicious activity, looking for unexpected outbound requests. After a patched version is released, upgrade immediately and verify the fix by attempting a controlled SSRF request to an internal resource to confirm it is blocked.
既知の修正パッチはありません。脆弱性の詳細を詳細に確認し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-69299 is a Server-Side Request Forgery vulnerability affecting Laborator Oxygen WordPress plugin versions 0.0.0 through 6.0.8, allowing attackers to make requests on behalf of the server.
If you are using Laborator Oxygen plugin versions 0.0.0 through 6.0.8 on your WordPress site, you are potentially affected by this SSRF vulnerability.
Currently, there is no fixed version available. Implement workarounds like input validation, WAF rules, and restricted network access until a patch is released.
There are currently no confirmed reports of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the Laborator Oxygen website and WordPress plugin repository for official advisories and updates regarding CVE-2025-69299.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。