Ryan Roth

**Name of the Vulnerable Software and Affected Versions** The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin versions prior to 3.0.2 **Description** The plugin does not properly restrict URLs used in the stock photo import feature, allowing a user to specify arbitrary URLs. This can lead to a server-side request forgery (SSRF), enabling an attacker to force the server to access any URL they choose. A null byte truncation bypasses validation, potentially exposing AWS metadata and credentials. **Recommendations** Update The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin to version 3.0.2 or later.