CVE-2025-11917 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WPeMatico RSS Feed Fetcher plugin for WordPress, affecting all versions up to and including 2.8.11. The vulnerability resides in the wpematico_test_feed() function, which allows authenticated users with Subscriber-level privileges or higher to trigger the plugin to make HTTP requests to arbitrary URLs. SSRF vulnerabilities enable attackers to abuse the server as a proxy to send crafted requests to internal or external systems, potentially bypassing firewall restrictions and accessing sensitive internal resources that are not directly exposed to the internet. In this case, the attacker can leverage the SSRF to query internal services, potentially extracting sensitive information or modifying data if internal services are vulnerable or misconfigured. The CVSS 3.1 base score of 6.4 reflects a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C) that affects confidentiality and integrity but not availability. No public exploits or patches are currently known, increasing the importance of proactive mitigation. The vulnerability's exploitation requires authenticated access, which limits the attack surface but remains significant given that Subscriber-level access is relatively low privilege in WordPress. This vulnerability is particularly concerning for organizations that allow broad user registration or have weak access controls on their WordPress sites. Since WordPress powers a substantial portion of European websites, and WPeMatico is a popular plugin for RSS feed aggregation, the risk is non-trivial. Attackers could use this SSRF to pivot into internal networks, access metadata services, or exploit other internal vulnerabilities, potentially leading to data breaches or further compromise.

For European organizations, this SSRF vulnerability poses a risk of unauthorized internal network reconnaissance and data exfiltration. Attackers with low-level authenticated access could leverage the vulnerability to access internal services that are otherwise protected by network segmentation or firewalls, potentially exposing sensitive information such as internal APIs, databases, or cloud metadata endpoints. This could lead to further exploitation, including privilege escalation or lateral movement within the network. The integrity of internal data could also be compromised if internal services allow modification via the SSRF. While availability is not directly impacted, the breach of confidentiality and integrity can have severe consequences, including regulatory non-compliance under GDPR, reputational damage, and financial losses. Organizations relying on WordPress for public-facing websites or intranet portals that use WPeMatico are particularly at risk. The medium severity rating suggests that while the vulnerability is not trivially exploitable by unauthenticated attackers, the ease of exploitation by authenticated users and the potential for internal network compromise make it a significant threat. Given the widespread use of WordPress in Europe, the vulnerability could affect a broad range of sectors including government, finance, healthcare, and media.

European organizations should immediately audit their WordPress installations to identify the presence of the WPeMatico RSS Feed Fetcher plugin and verify the version in use. Until an official patch is released, organizations should consider disabling or uninstalling the plugin if it is not essential. For sites requiring the plugin, restrict user registration and enforce strict access controls to limit Subscriber-level access only to trusted users. Implement web application firewalls (WAFs) with rules designed to detect and block SSRF attempts, especially those targeting internal IP ranges or sensitive endpoints. Network segmentation should be enforced to limit the WordPress server’s ability to reach internal services unnecessarily. Monitoring and logging of outbound HTTP requests from the web server should be enhanced to detect anomalous activity indicative of SSRF exploitation. Additionally, review internal services for exposure and ensure they require proper authentication and authorization, minimizing the impact if accessed via SSRF. Organizations should stay alert for official patches or updates from the plugin vendor and apply them promptly once available. Conduct regular security assessments and penetration testing focusing on SSRF and related vulnerabilities in web applications.