WordPress Plugin Vulnerabilities

Pz-LinkCard < 2.5.7 - Contributor+ SSRF

Description

The plugin does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
pz-linkcard
Fixed in 2.5.7

References

CVE
CVE-2025-8594
URL
https://research.cleantalk.org/cve-2025-8594

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/
Verified
Yes
WPVDB ID
17104590-d84e-41b7-83ac-9b15fcfb537a

Timeline

Publicly Published
2025-09-23 (about 3 months ago)
Added
2025-09-23 (about 3 months ago)
Last Updated
2025-09-23 (about 3 months ago)

Other

Published
Title
Published
2024-04-25
Title
Radio Player < 2.0.74 - Unauthenticated Server-Side Request Forgery
Published
2025-03-24
Title
WP Compress < 6.30.16 - Unauthenticated Server-Side Request Forgery via init Function
Published
2024-04-22
Title
Culqi < 3.0.15 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-05-07
Title
WebinarPress <= 1.33.27 - Authenticated (Administrator+) Server-Side Request Forgery
Published
2025-04-01
Title
ElementsCSS Addons for Elementor <= 1.0.8.7 - Unauthenticated Server-Side Request Forgery