CVE-2025-10861 is a Server-Side Request Forgery (SSRF) vulnerability identified in the roxnor Popup builder plugin for WordPress, which includes features such as Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers. The vulnerability exists due to inadequate validation of URLs passed through a URL parameter, allowing unauthenticated attackers to coerce the vulnerable server into making HTTP requests to arbitrary locations. This can be exploited to access internal services that are otherwise inaccessible externally, potentially exposing sensitive data or enabling further attacks such as internal network reconnaissance or lateral movement. The vulnerability affects all versions up to and including 2.1.4, with a partial patch applied in version 2.1.4, indicating that earlier versions remain fully vulnerable. The CVSS v3.1 base score is 7.5, reflecting a high severity with network attack vector, no privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. The plugin’s integration with WooCommerce increases the risk profile for e-commerce sites, as internal APIs or backend services may be exposed. No public exploits have been reported yet, but the ease of exploitation and unauthenticated access make this a critical concern for WordPress sites using this plugin. The vulnerability highlights the importance of strict input validation and limiting server-side HTTP requests to trusted endpoints.

For European organizations, this SSRF vulnerability poses significant risks, especially for those operating e-commerce platforms using WooCommerce integrated with the vulnerable plugin. Attackers can exploit the flaw to access internal services, potentially exposing sensitive customer data, internal APIs, or backend administrative interfaces. This can lead to data breaches, unauthorized information disclosure, and facilitate further attacks such as privilege escalation or lateral movement within the network. The vulnerability’s unauthenticated nature increases the attack surface, allowing external attackers to target organizations without needing credentials. Given the widespread use of WordPress and WooCommerce in Europe, particularly in countries with large e-commerce markets, the impact could be substantial. Additionally, internal network reconnaissance enabled by SSRF can help attackers map internal infrastructure, increasing the risk of subsequent targeted attacks. Although availability and integrity are not directly impacted, confidentiality breaches alone can result in regulatory penalties under GDPR and damage to organizational reputation.

European organizations should immediately verify the version of the roxnor Popup builder plugin in use and upgrade to the latest patched version beyond 2.1.4 where the vulnerability is partially addressed. If upgrading is not immediately possible, implement web application firewall (WAF) rules to detect and block suspicious SSRF patterns targeting the URL parameter. Restrict outbound HTTP requests from the web server to only trusted IP ranges or domains to limit the ability of SSRF to reach internal services. Conduct thorough input validation and sanitization on any URL parameters to ensure only legitimate and safe URLs are processed. Monitor server logs for unusual outbound requests that could indicate exploitation attempts. Additionally, segment internal networks to reduce the impact of SSRF-based reconnaissance and enforce strict access controls on internal services. Regularly audit WordPress plugins for vulnerabilities and maintain an up-to-date inventory to quickly respond to emerging threats.