CVE-2025-14613 is a Server-Side Request Forgery (SSRF) vulnerability identified in the daschmi GetContentFromURL WordPress plugin, affecting all versions up to and including 1.0. The vulnerability stems from the plugin's use of the wp_remote_get() function to fetch content from a URL provided by users via the 'url' parameter in the [gcfu] shortcode. Unlike wp_safe_remote_get(), wp_remote_get() does not enforce restrictions on the destination of HTTP requests, allowing an attacker with authenticated access at the Contributor level or higher to cause the server to make arbitrary HTTP requests to internal or external systems. This can be leveraged to access internal services that are not otherwise exposed externally, potentially leading to information disclosure or unauthorized modification of internal data. The vulnerability requires authentication but no additional user interaction, and the scope is limited to WordPress sites running this plugin. The CVSS 3.1 base score is 7.2 (high), reflecting the network attack vector, low attack complexity, no privileges required beyond Contributor access, no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the potential for internal network reconnaissance and data manipulation. The lack of available patches at the time of publication increases the urgency for interim mitigations.

For European organizations, this vulnerability could allow attackers with Contributor-level access to WordPress sites to perform SSRF attacks, potentially accessing sensitive internal services such as intranet applications, metadata services, or internal APIs that are not exposed externally. This can lead to unauthorized information disclosure, including sensitive configuration or user data, and possibly unauthorized modification of internal resources if such services accept HTTP requests that alter state. The impact is particularly critical for organizations hosting sensitive or regulated data, such as financial institutions, healthcare providers, or government agencies, where internal network confidentiality is paramount. Additionally, the exploitation could facilitate lateral movement within the network or serve as a foothold for further attacks. Given the widespread use of WordPress in Europe, especially in small and medium enterprises and public sector websites, the risk of exploitation is non-trivial. The vulnerability's requirement for authenticated access somewhat limits the attack surface but does not eliminate risk, especially in environments with weak access controls or compromised user credentials.

1. Immediately audit WordPress sites for the presence of the daschmi GetContentFromURL plugin and disable or remove it if not essential. 2. If the plugin is required, restrict Contributor-level access strictly and review user permissions to minimize the number of users who can exploit this vulnerability. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests containing the [gcfu] shortcode or unusual URL parameters that could trigger SSRF. 4. Apply network segmentation and firewall rules to restrict outbound HTTP requests from web servers to only trusted external endpoints, blocking access to internal IP ranges and sensitive services. 5. Monitor logs for unusual outbound HTTP requests originating from WordPress servers, especially to internal IP addresses or localhost. 6. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 7. Consider using security plugins or tools that enforce safe HTTP request functions or sanitize user inputs to prevent SSRF. 8. Educate site administrators and content contributors about the risks of SSRF and the importance of cautious use of shortcodes that fetch external content.