CVE-2025-11361 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress, affecting all versions up to and including 5.7.1. The vulnerability resides in the eb_save_ai_generated_image function, which improperly handles user input, allowing authenticated users with Author-level access or higher to induce the server to make HTTP requests to arbitrary locations. SSRF vulnerabilities enable attackers to bypass network restrictions by leveraging the vulnerable server as a proxy to access internal services that are otherwise inaccessible externally. In this case, the attacker can query internal endpoints, potentially extracting sensitive information or manipulating internal resources. The vulnerability does not require user interaction beyond authentication, and the attacker must have at least Author privileges, which are commonly assigned to content creators or editors in WordPress. The CVSS 3.1 base score is 6.4 (medium severity), reflecting the network attack vector, low attack complexity, and the requirement for privileges but no user interaction. The scope is changed (S:C) because the vulnerability can affect resources beyond the initially vulnerable component. No patches or exploits are currently publicly available, but the risk remains significant due to the potential for internal network reconnaissance and data exposure. The vulnerability is cataloged under CWE-918, which covers SSRF issues. Given the widespread use of WordPress and this plugin, the vulnerability poses a notable risk to websites that rely on these components for content management and page building.

For European organizations, this SSRF vulnerability can lead to unauthorized internal network scanning and data exfiltration from internal services that are normally protected by network segmentation or firewalls. Attackers with Author-level access could leverage this flaw to gather sensitive information such as internal API endpoints, configuration data, or other protected resources, potentially facilitating further attacks like privilege escalation or lateral movement. This is particularly concerning for organizations hosting sensitive data or critical infrastructure on WordPress sites using this plugin. The vulnerability could also be exploited to modify internal service data if such services accept requests from the vulnerable server, leading to integrity breaches. Although the vulnerability does not directly cause denial of service, the indirect consequences of internal network compromise could be severe. European organizations with strict data protection regulations (e.g., GDPR) may face compliance risks if internal data is exposed or manipulated. The medium severity score suggests a moderate but actionable risk, especially in environments where multiple users have elevated WordPress privileges.

1. Immediately restrict Author-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Monitor and log outbound HTTP requests from WordPress servers to detect unusual or unauthorized internal network access patterns. 3. Implement network segmentation and firewall rules to limit the WordPress server's ability to reach sensitive internal services, reducing the attack surface for SSRF exploitation. 4. Disable or remove the Gutenberg Essential Blocks – Page Builder plugin if it is not essential to operations until a patch is released. 5. Regularly check for updates from the plugin vendor and apply patches promptly once available. 6. Conduct internal audits of WordPress user roles and permissions to ensure least privilege principles are enforced. 7. Employ Web Application Firewalls (WAFs) with rules designed to detect and block SSRF attempts targeting the vulnerable function. 8. Educate site administrators and developers about the risks of SSRF and the importance of secure plugin management.