The WPeMatico RSS Feed Fetcher plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2025-11917, classified under CWE-918. This vulnerability exists in all versions up to and including 2.8.11, specifically within the wpematico_test_feed() function. SSRF vulnerabilities allow an attacker to abuse the server's functionality to send crafted requests to internal or external systems that the attacker normally cannot access. In this case, an attacker with authenticated access at the Subscriber level or higher can trigger the vulnerable function to make arbitrary HTTP requests originating from the web server hosting the WordPress site. This can be leveraged to access internal services, potentially bypassing firewall restrictions, and to query or modify sensitive information within the internal network. The vulnerability does not require user interaction but does require low-privilege authentication, which broadens the attack surface since Subscriber-level access is commonly granted to registered users. The CVSS v3.1 base score is 6.4, reflecting medium severity due to the potential confidentiality and integrity impacts without affecting availability. No public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin makes it a significant risk. The lack of available patches at the time of reporting means organizations must implement interim mitigations to reduce exposure.

The exploitation of this SSRF vulnerability can have several impacts on organizations worldwide. Attackers can leverage it to perform internal network reconnaissance, potentially discovering and interacting with internal services that are not exposed externally. This can lead to unauthorized access to sensitive data, modification of internal resources, or pivoting to further attacks within the network. Since the vulnerability requires only Subscriber-level authentication, attackers can exploit it even in environments with relatively low-trust users, increasing the risk in multi-user WordPress deployments. The confidentiality and integrity of internal systems are at risk, although availability is not directly impacted. Organizations relying on WPeMatico RSS Feed Fetcher for content aggregation or automation may face data breaches or unauthorized internal access if the vulnerability is exploited. The medium CVSS score indicates a significant but not critical threat, yet the potential for lateral movement and data exposure makes it a serious concern for organizations with sensitive internal services behind their WordPress installations.

To mitigate this vulnerability, organizations should first update the WPeMatico RSS Feed Fetcher plugin to a patched version once it becomes available. Until a patch is released, administrators should consider the following specific actions: 1) Restrict plugin usage to trusted users only, minimizing Subscriber-level access or disabling the plugin if feasible. 2) Implement strict outbound network filtering on the web server to limit the destinations for HTTP requests initiated by the server, blocking access to internal IP ranges and sensitive services. 3) Use Web Application Firewalls (WAFs) to detect and block suspicious requests targeting the wpematico_test_feed() function or unusual SSRF patterns. 4) Monitor logs for anomalous activity related to feed fetching or unexpected internal network requests originating from the WordPress server. 5) Consider isolating the WordPress server in a segmented network zone with limited access to internal services to reduce the impact of potential SSRF exploitation. 6) Educate users about the risks of granting Subscriber-level access and review user roles and permissions regularly. These targeted mitigations can reduce the risk until an official patch is deployed.