CVE-2025-14613 is a Server-Side Request Forgery (SSRF) vulnerability identified in the GetContentFromURL WordPress plugin developed by daschmi. The vulnerability stems from the plugin's use of the wp_remote_get() function to retrieve content from URLs supplied by users through the 'url' parameter in the [gcfu] shortcode. Unlike wp_safe_remote_get(), wp_remote_get() does not enforce restrictions on the destination of HTTP requests, allowing an attacker with Contributor-level or higher privileges to induce the server to send arbitrary HTTP requests to internal or external systems. This can lead to unauthorized access or modification of internal services that are otherwise inaccessible externally, potentially exposing sensitive information or enabling further attacks such as internal network reconnaissance or exploitation of other internal vulnerabilities. The vulnerability affects all versions of the plugin up to and including version 1.0. The CVSS v3.1 base score is 7.2 (high severity), reflecting network attack vector, low attack complexity, no privileges required beyond Contributor access, no user interaction, and a scope change due to the ability to affect other components beyond the plugin itself. Although no known exploits are currently in the wild, the vulnerability's characteristics make it a credible threat, especially in environments where Contributor-level access is granted to untrusted users. The plugin's widespread use in WordPress sites increases the potential attack surface. The vulnerability was published on January 14, 2026, and is tracked under CWE-918 (SSRF).

For European organizations, this SSRF vulnerability poses a significant risk, especially for those relying on WordPress sites with the GetContentFromURL plugin installed. Attackers with Contributor-level access can leverage this flaw to perform internal network scanning, access internal APIs, or retrieve sensitive data from internal services that are not exposed externally. This can lead to data leakage, unauthorized information disclosure, and potentially facilitate lateral movement within the network. The ability to modify information on internal services further elevates the risk, potentially impacting data integrity. Given the high adoption of WordPress across Europe, organizations in sectors such as finance, healthcare, government, and critical infrastructure that use this plugin are particularly vulnerable. The vulnerability's exploitation could disrupt business operations, damage reputation, and result in regulatory non-compliance, especially under GDPR requirements concerning data protection and breach notification.

European organizations should take immediate steps to mitigate this vulnerability. First, update the GetContentFromURL plugin to a patched version once available; if no patch exists yet, consider disabling or removing the plugin temporarily. Restrict Contributor-level access strictly to trusted users and review user permissions regularly to minimize the risk of exploitation. Implement web application firewall (WAF) rules to detect and block suspicious SSRF attempts, particularly requests containing the [gcfu] shortcode with malicious URLs. Employ network segmentation and internal service access controls to limit the impact of SSRF by restricting the web server's ability to reach sensitive internal endpoints. Additionally, monitor outbound HTTP requests originating from the web server for anomalies. Developers and administrators should advocate for the plugin to replace wp_remote_get() with wp_safe_remote_get() or implement strict URL validation and allowlisting to prevent requests to internal IP ranges or sensitive domains. Regular security audits and penetration testing focusing on SSRF vectors are recommended to identify and remediate similar issues.