CVE-2025-10861
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Popup Builder WordPress plugin. Unauthenticated attackers can exploit insufficient URL validation to make arbitrary web requests from the vulnerable server, potentially accessing internal services and conducting network reconnaissance. All WordPress sites using this plugin up to version 2.1.4 are affected.
💻 Affected Systems
- Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, exfiltrate data from cloud metadata services, scan internal networks, or pivot to attack other internal systems.
Likely Case
Attackers will scan internal networks, access internal APIs, or attempt to reach cloud metadata endpoints to steal credentials.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to the web server making external requests.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and require minimal technical skill. The unauthenticated nature makes this particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.1.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3379308/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Popup Builder' plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 2.1.5+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Popup Builder plugin until patched
wp plugin deactivate popup-builder-block
Web Application Firewall rule
allBlock requests containing suspicious URL parameters targeting the vulnerable endpoint
🧯 If You Can't Patch
- Implement strict egress filtering to limit outbound connections from web servers
- Deploy network segmentation to isolate web servers from internal services
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Popup Builder' version 2.1.4 or earlierCheck Version:
wp plugin get popup-builder-block --field=versionVerify Fix Applied:
Verify plugin version is 2.1.5 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IPs or cloud metadata endpoints
- Requests to /wp-json/popup-builder/v1/fetch-demo with suspicious URL parameters
Network Indicators:
- Web server making unexpected HTTP requests to internal network ranges
- Requests to 169.254.169.254 (AWS metadata) or similar cloud provider endpoints
SIEM Query:
source="web_server_logs" AND (uri="/wp-json/popup-builder/v1/fetch-demo" OR user_agent LIKE "%PopupBuilder%") AND (url_param CONTAINS "internal" OR url_param CONTAINS "169.254" OR url_param CONTAINS "localhost")🔗 References
- https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/FetchDemo.php#L15
- https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/FetchDemo.php#L35
- https://plugins.trac.wordpress.org/changeset/3369146/
- https://plugins.trac.wordpress.org/changeset/3379308/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5f4767b5-5dd6-4a2a-b44a-5297432286b1?source=cve
