CVE-2025-8680 is a Server-Side Request Forgery (SSRF) vulnerability identified in the B Slider- Gutenberg Slider Block for WordPress plugin, specifically in versions 2.0.0 and earlier. The vulnerability arises from improper validation in the fs_api_request function, which allows authenticated users with subscriber-level privileges or higher to induce the server to send HTTP requests to arbitrary destinations. SSRF vulnerabilities enable attackers to leverage the server as a proxy to access internal or external resources that may be otherwise inaccessible, potentially exposing sensitive internal services or data. In this case, the attacker can query or modify information on internal services by crafting malicious requests through the vulnerable plugin. The vulnerability requires authentication but no user interaction beyond that, lowering the barrier for exploitation within compromised or low-privilege user accounts. The CVSS 3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, and limited confidentiality impact. No integrity or availability impacts are noted. No public exploits have been reported yet, but the presence of this SSRF in a widely used WordPress plugin poses a risk for reconnaissance and lateral movement within affected environments. The vulnerability affects all versions up to 2.0.0, and no official patches or updates are currently linked, indicating a need for vendor action or temporary mitigations.

The primary impact of this SSRF vulnerability is the potential exposure of internal network resources and services that are not directly accessible from the internet. Attackers with subscriber-level access can exploit this to perform internal reconnaissance, potentially discovering sensitive endpoints such as internal APIs, databases, or administrative interfaces. While the direct confidentiality impact is rated low, the information gathered could facilitate further attacks, including privilege escalation or data exfiltration. Since the vulnerability does not affect integrity or availability directly, the immediate damage is limited. However, the ability to make arbitrary requests from the server can be leveraged in complex attack chains, increasing overall risk. Organizations running WordPress sites with this plugin are at risk of internal network exposure, especially if internal services lack proper segmentation or authentication. The threat is heightened in environments where subscriber accounts are easily created or compromised. Given WordPress’s widespread use, the vulnerability could affect a significant number of sites globally, particularly those that have not updated or mitigated the plugin.

1. Immediately restrict or disable the B Slider- Gutenberg Slider Block plugin if it is not essential to your WordPress site functionality. 2. Monitor user accounts with subscriber-level access and above for suspicious activity, as these accounts can exploit the vulnerability. 3. Implement network egress filtering on web servers hosting WordPress to restrict outbound HTTP requests to only trusted destinations, preventing SSRF exploitation from reaching internal services. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block unusual request patterns that may indicate SSRF attempts via the plugin. 5. Regularly audit and harden internal services to require strong authentication and avoid implicit trust from internal network requests. 6. Stay alert for vendor patches or updates addressing this vulnerability and apply them promptly once available. 7. Consider employing WordPress security plugins that can detect and block SSRF or suspicious plugin behavior. 8. Educate administrators and users about the risks of SSRF and the importance of least privilege access controls.