CVE-2025-9975 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WP Scraper plugin for WordPress, affecting all versions up to and including 5.8.1. The vulnerability resides in the wp_scraper_extract_content function, which improperly handles user-supplied input to make HTTP requests. An attacker with authenticated Administrator-level access can exploit this flaw to coerce the server into sending HTTP requests to arbitrary internal or external endpoints. This capability enables attackers to probe internal network services that are otherwise inaccessible externally, potentially exposing sensitive information or enabling further attacks such as internal service manipulation. On cloud-hosted WordPress instances, the SSRF can be leveraged to access cloud metadata services, which often contain credentials or configuration data, increasing the risk of privilege escalation or lateral movement. The vulnerability requires no user interaction but does require high-level authentication, limiting the attack surface to compromised or malicious administrators. The CVSS 3.1 base score is 6.8, reflecting a medium severity with a high impact on confidentiality, no impact on integrity or availability, and low attack complexity. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for environments where the plugin is installed and administrator credentials are compromised or misused.

For European organizations, this vulnerability poses a significant risk to internal network confidentiality and cloud infrastructure security. Organizations using the WP Scraper plugin on WordPress sites could have their internal services exposed to unauthorized queries, potentially leaking sensitive business or operational data. In cloud environments, metadata service access could lead to credential theft and subsequent privilege escalation or lateral movement within the cloud infrastructure. This could result in data breaches, disruption of internal services, or unauthorized access to critical systems. Given the requirement for administrator-level access, the threat is particularly relevant in scenarios where insider threats or credential compromise occur. The impact is heightened for organizations relying heavily on WordPress for public-facing or internal portals, especially those integrated with sensitive backend services or cloud platforms. Failure to address this vulnerability could lead to targeted attacks exploiting internal network trust boundaries, which are often less monitored and protected.

European organizations should immediately verify if the WP Scraper plugin is installed and identify the version in use. Since no patch links are currently available, organizations should consider the following mitigations: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2) Implement network segmentation and firewall rules to limit the WordPress server's ability to make outbound HTTP requests to internal services or cloud metadata endpoints. 3) Monitor and log outbound HTTP requests from the WordPress server to detect anomalous or unauthorized access attempts. 4) If feasible, temporarily disable or remove the WP Scraper plugin until a security patch is released. 5) Conduct regular audits of administrator accounts and review plugin usage to detect any suspicious activity. 6) For cloud-hosted instances, apply cloud provider-specific metadata service protections, such as IMDSv2 enforcement or metadata service access restrictions. These steps will reduce the risk of exploitation while awaiting an official patch.