CVE-2025-10145 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, found in the Auto Featured Image (Auto Post Thumbnail) plugin for WordPress developed by themeisle. This vulnerability affects all versions up to and including 4.1.7 and arises from the upload_to_library function, which improperly handles user-supplied input to generate HTTP requests from the server. An attacker with authenticated Author-level access or higher can exploit this flaw to induce the WordPress server to send arbitrary HTTP requests to internal or external systems. This can lead to unauthorized querying and potential modification of internal services that are otherwise inaccessible from the outside, such as internal APIs, metadata services on cloud platforms, or other sensitive endpoints. The SSRF does not require user interaction beyond authentication and can be leveraged to gather sensitive information or pivot attacks within the internal network. The vulnerability has a CVSS 3.1 base score of 7.7, indicating high severity, with network attack vector, low attack complexity, and no user interaction required. The scope is changed because the vulnerability affects resources beyond the initially vulnerable component, impacting confidentiality significantly but not integrity or availability directly. No patches are currently linked, and no active exploitation has been reported, but the potential for impactful internal reconnaissance and data exposure is substantial.

For European organizations, this SSRF vulnerability poses a significant risk to the confidentiality of internal network resources and cloud metadata services. Organizations relying on WordPress sites with the vulnerable plugin installed, especially those hosted on cloud platforms like AWS, Azure, or Google Cloud, may have their internal services exposed to attackers with Author-level access. This could lead to unauthorized data disclosure, including sensitive configuration details or credentials accessible via metadata services. The ability to query or modify internal services could facilitate lateral movement or further compromise within corporate networks. Given the widespread use of WordPress across Europe and the popularity of themeisle plugins, many organizations could be affected, particularly those in sectors with high-value data such as finance, healthcare, and government. The impact is exacerbated in cloud environments where metadata service exposure can lead to privilege escalation or data leakage. Additionally, the requirement for authenticated access means insider threats or compromised user accounts could exploit this vulnerability to bypass network segmentation controls.

European organizations should immediately audit their WordPress installations to identify the presence of the Auto Featured Image (Auto Post Thumbnail) plugin and verify the version in use. Until an official patch is released, organizations should consider disabling or removing the plugin to eliminate the attack vector. Restricting user roles and permissions to the minimum necessary, especially limiting Author-level access, can reduce the risk of exploitation. Implement network-level controls to restrict outbound HTTP requests from WordPress servers to only trusted destinations, thereby limiting SSRF impact. Monitoring and logging HTTP requests originating from WordPress instances can help detect anomalous behavior indicative of exploitation attempts. For cloud-hosted environments, applying metadata service access restrictions (e.g., AWS IMDSv2 enforcement) can mitigate metadata retrieval risks. Organizations should also educate administrators and users about the risk of SSRF and enforce strong authentication and account monitoring to prevent account compromise. Once a patch becomes available, prompt application is critical. Finally, consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities to provide an additional layer of defense.