CVE-2025-10861 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 affecting the roxnor WordPress plugin named 'Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers.' This plugin is widely used to create interactive popups with gamification features and WooCommerce integration. The vulnerability exists due to improper validation of URLs passed via a URL parameter, which allows unauthenticated attackers to craft requests that the server executes on their behalf. As a result, attackers can make the vulnerable server send HTTP requests to arbitrary internal or external locations, potentially accessing internal services that are not otherwise exposed externally. This can facilitate network reconnaissance, data exfiltration, or unauthorized interaction with internal APIs or services. The vulnerability affects all plugin versions up to and including 2.1.4, with a partial fix introduced in 2.1.4. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, no required privileges or user interaction, and high confidentiality impact. The vulnerability does not impact integrity or availability directly. No public exploit code or active exploitation has been reported yet, but the risk remains significant given the plugin’s popularity and the critical nature of SSRF attacks in WordPress environments.

The primary impact of this SSRF vulnerability is unauthorized internal network access and information disclosure. Attackers can leverage the vulnerable plugin to pivot into internal services that are normally inaccessible from the internet, potentially exposing sensitive internal APIs, databases, or cloud metadata services. This can lead to data leakage, unauthorized data queries, or further exploitation chains such as privilege escalation or lateral movement within the network. For e-commerce sites using WooCommerce, this could expose customer data or transactional information. The vulnerability does not directly allow code execution or denial of service but can be a critical stepping stone in multi-stage attacks. Organizations worldwide running WordPress sites with this plugin are at risk, especially those with sensitive internal infrastructure behind firewalls. The lack of authentication requirement and ease of exploitation increase the threat level. The partial patch in version 2.1.4 suggests that sites running earlier versions are particularly vulnerable. The absence of known exploits in the wild provides a window for remediation before active attacks emerge.

Organizations should immediately verify the version of the roxnor Popup builder plugin deployed on their WordPress sites and upgrade to the latest version beyond 2.1.4 where the partial patch was introduced. If a fully patched version is not yet available, consider disabling or removing the plugin temporarily to eliminate exposure. Implement strict input validation and URL whitelisting on any parameters that accept URLs to prevent SSRF attempts. Network segmentation and firewall rules should restrict the web server’s ability to make arbitrary outbound requests, especially to internal IP ranges and sensitive services such as cloud metadata endpoints. Employ Web Application Firewalls (WAFs) with SSRF detection capabilities to monitor and block suspicious outbound requests. Regularly audit and monitor logs for unusual outbound HTTP requests originating from the web server. Additionally, review and harden internal service authentication and access controls to minimize damage if SSRF is exploited. Engage with the plugin vendor for updates and security advisories to ensure full remediation.