PT-2025-9081 · WordPress · Url Media Uploader
Ch4R0N
·
Published
2025-02-28
·
Updated
2025-03-01
·
CVE-2025-1662
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
URL Media Uploader plugin for WordPress versions prior to 1.1.0, or more specifically, version 1.0.0 and earlier
Description
The issue allows authenticated attackers with author-level access and above to perform Server-Side Request Forgery via the 'url media uploader url upload' action. This enables them to make web requests to arbitrary locations from the web application, potentially querying and modifying information from internal services.
Recommendations
For URL Media Uploader plugin for WordPress version 1.0.0 and earlier, consider disabling the
url media uploader url upload action until a patch is available to prevent exploitation.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Url Media Uploader