6.0.9
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Laborator Oxygen WordPress plugin. This flaw allows attackers to manipulate the plugin into making requests to arbitrary internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability impacts versions from 0.0.0 up to and including 6.0.8. A fix is expected in a future release.
The SSRF vulnerability in Laborator Oxygen allows an attacker to craft malicious requests that the plugin will execute on behalf of the server. This can be exploited to access internal services that are not directly exposed to the internet, such as databases, administrative panels, or other internal APIs. Successful exploitation could lead to data breaches, privilege escalation, and even complete system compromise. The attacker could potentially scan internal networks, read sensitive configuration files, or even interact with other internal systems, expanding the blast radius of the attack. While no direct precedent exists for this specific plugin, SSRF vulnerabilities are frequently exploited to bypass security controls and gain unauthorized access to sensitive data.
The vulnerability was publicly disclosed on 2026-02-20. There is no indication of this vulnerability being listed on KEV or having a high EPSS score at this time. No public proof-of-concept exploits are currently known, but the SSRF nature of the vulnerability makes it likely that one will emerge. Monitor security advisories and vulnerability databases for updates.
WordPress websites utilizing the Laborator Oxygen plugin, particularly those with sensitive internal services accessible from the web server, are at risk. Shared hosting environments where Oxygen is installed are also vulnerable, as a compromised Oxygen instance could potentially impact other websites on the same server.
• wordpress / composer / npm:
grep -r 'http_request' /var/www/html/wp-content/plugins/oxygen/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/oxygen/ | grep Server漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
Due to the lack of a provided fixed version, immediate mitigation strategies are crucial. As a temporary workaround, implement strict input validation on any URLs or URIs processed by the Oxygen plugin. Consider using a Web Application Firewall (WAF) with SSRF protection rules to block malicious requests. Restrict network access for the Oxygen plugin to only the necessary resources. Regularly monitor Oxygen plugin logs for suspicious activity, looking for unexpected outbound requests. After a patched version is released, upgrade immediately and verify the fix by attempting a controlled SSRF request to an internal resource to confirm it is blocked.
目前没有已知的补丁。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-69299 is a Server-Side Request Forgery vulnerability affecting Laborator Oxygen WordPress plugin versions 0.0.0 through 6.0.8, allowing attackers to make requests on behalf of the server.
If you are using Laborator Oxygen plugin versions 0.0.0 through 6.0.8 on your WordPress site, you are potentially affected by this SSRF vulnerability.
Currently, there is no fixed version available. Implement workarounds like input validation, WAF rules, and restricted network access until a patch is released.
There are currently no confirmed reports of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the Laborator Oxygen website and WordPress plugin repository for official advisories and updates regarding CVE-2025-69299.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。