WP Migrate Lite < 2.7.7 – Unauthenticated Blind Server-Side Request Forgery | CVE 2025-11427 | Plugin Vulnerabilities

Description

The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to obtain information about internal services.

Affects Plugins

Fixed in 2.7.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4b098711-ed01-4a71-b0df-30ff4fffa930

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

316bb650-49c9-448b-9ac6-4ca5eb11d6cd

Timeline

Publicly Published

2025-11-17 (about 5 months ago)

Added

2025-11-17 (about 5 months ago)

Last Updated

2026-01-13 (about 4 months ago)

Other

Published

Title

Published

2025-04-01

Title

ElementsCSS Addons for Elementor <= 1.0.8.7 - Unauthenticated Server-Side Request Forgery

Published

2024-05-02

Title

CAS <= 1.0.0 - Unauthenticated SSRF

Published

2024-08-06

Title

Modern Events Calendar <= 7.12.1 - Subscriber+ Server Side Request Forgery

Published

2024-06-18

Title

WordPress Picture / Portfolio / Media Gallery <= 3.0.1 - Unauthenticated Server-Side Request Forgery

Published

2025-12-10

Title

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator < 5.1.2 - Unauthenticated Blind Server-Side Request Forgery