CVE-2025-30914
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in XpeedStudio's Metform WordPress plugin allows attackers to make the vulnerable server send HTTP requests to internal or external systems. It affects WordPress sites using Metform contact form builder from unspecified versions through 3.9.2. Attackers could potentially access internal services or perform port scanning through the vulnerable server.
💻 Affected Systems
- XpeedStudio Metform Elementor Contact Form Builder
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker accesses internal services, exfiltrates sensitive data from internal networks, or performs attacks against internal systems using the vulnerable server as a proxy.
Likely Case
Attacker performs port scanning of internal networks, accesses metadata services (like AWS/Azure instance metadata), or makes requests to internal web applications.
If Mitigated
Limited impact due to network segmentation, egress filtering, or internal service authentication requirements.
🎯 Exploit Status
SSRF vulnerabilities typically have low exploitation complexity when unauthenticated access is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Metform Elementor Contact Form Builder'
4. Click 'Update Now' if update is available
5. Alternatively, download version 3.9.3+ from WordPress repository
6. Deactivate old version and upload new version via WordPress admin
🔧 Temporary Workarounds
Disable Metform Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate metform
Network Egress Filtering
allRestrict outbound HTTP/HTTPS requests from web servers to only necessary external services
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SSRF patterns in requests
- Restrict server outbound network access using firewall rules to prevent internal network scanning
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Metform version. If version is 3.9.2 or earlier and no patch date shown, it's vulnerable.Check Version:
wp plugin get metform --field=versionVerify Fix Applied:
Verify Metform plugin version is 3.9.3 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IP ranges
- Requests to metadata services (169.254.169.254, 100.100.100.200)
- Multiple rapid HTTP requests to sequential IP addresses from same source
Network Indicators:
- Web server making unexpected outbound HTTP requests
- Requests to internal network ranges from external-facing server
SIEM Query:
source="web_server_logs" AND (dst_ip=169.254.169.254 OR dst_ip=100.100.100.200 OR dst_network="10.0.0.0/8" OR dst_network="172.16.0.0/12" OR dst_network="192.168.0.0/16")