Plataforma
wordpress
Componente
popup-builder-block
Corrigido em
2.1.5
CVE-2025-10861 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress. This vulnerability allows unauthenticated attackers to initiate web requests on behalf of the application, potentially accessing internal resources and performing reconnaissance. The vulnerability affects versions from 0.0.0 through 2.1.4, with a partial fix implemented in version 2.1, and a complete resolution in version 2.1.5.
The SSRF vulnerability in the Popup Builder plugin allows attackers to craft malicious URLs that the plugin will then request. This can be exploited to access internal services that are not directly accessible from the outside world, such as administrative dashboards, databases, or other internal APIs. An attacker could potentially query sensitive information, modify data, or even gain a foothold within the internal network. The lack of authentication requirements means that any user, even without a WordPress account, can trigger these requests. This vulnerability presents a significant risk to WordPress sites utilizing this plugin, especially those with sensitive internal services.
This vulnerability is publicly disclosed and documented in the NVD. While no active exploitation campaigns have been definitively linked to CVE-2025-10861 at the time of writing, the SSRF nature of the vulnerability makes it a potential target for automated scanning and exploitation. The relatively wide range of affected versions (0.0.0 – 2.1.4) increases the potential attack surface. It has not been added to the CISA KEV catalog.
WordPress websites utilizing the Popup Builder plugin, particularly those with sensitive internal services or those running older, unpatched versions (0.0.0 – 2.1.4). Shared hosting environments are also at increased risk, as vulnerabilities in plugins can impact multiple websites on the same server.
• wordpress / plugin: Use wp-cli plugin update to check the installed version. If below 2.1.5, the system is vulnerable.
• generic web: Monitor access logs for outbound requests to unusual internal IP addresses or domains originating from the plugin's files (e.g., /wp-content/plugins/popup-builder/).
• generic web: Use curl to test for SSRF by attempting to access internal resources through the plugin's URL parameter. Example: curl 'http://your-wordpress-site.com/?popup_url=http://127.0.0.1:8080'
• wordpress / plugin: Search plugin files for instances of wpremoteget or similar functions without proper URL validation.
disclosure
Status do Exploit
EPSS
0.05% (percentil 15%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-10861 is to immediately upgrade the Popup Builder plugin to version 2.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URLs or patterns indicative of SSRF exploitation. Additionally, review and restrict access to internal services to minimize the potential impact of a successful SSRF attack. Monitor WordPress access logs for unusual outbound requests originating from the plugin.
Atualize o plugin 'Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers' para a versão 2.1.5 ou superior para mitigar a vulnerabilidade de Solicitação Forjada do Lado do Servidor. Esta atualização corrige a validação insuficiente de URLs, prevenindo que atacantes realizem solicitações web arbitrárias desde a aplicação.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-10861 is a Server-Side Request Forgery vulnerability affecting the Popup Builder WordPress plugin, allowing attackers to make requests on behalf of the application.
You are affected if you are using the Popup Builder plugin in WordPress versions 0.0.0 through 2.1.4. Upgrade to 2.1.5 or later to resolve the issue.
Upgrade the Popup Builder plugin to version 2.1.5 or later. Consider implementing a WAF rule as a temporary workaround if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are currently known, the SSRF nature of the vulnerability makes it a potential target for automated scanning and exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.