CVE-2025-11917

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-11917

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-11917.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-11917

Published

2025-11-05T07:15:32.073Z

Modified

2025-11-16T12:29:47.764305Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematicotestfeed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

References

Affected packages

Git / github.com/etruel/wpematico

Affected ranges

Type: GIT
Repo: https://github.com/etruel/wpematico
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7a281dcfc0868490d62caee54f3b743708fed7cf

Affected versions

1.*

1.3.8.2

1.3.8.3

1.3.8.4

1.4

1.4.1

1.4.2

1.5

1.6

1.6.1

1.6.2

1.7

1.7.2

1.7.3

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.9

1.9.2

1.9.3

1.9.4

2.*

2.0

2.1

2.1.1

2.1.2

2.2

2.2.2

2.3

2.3.10

2.3.2

2.3.3

2.3.4

2.4.2

2.4.2RC2

2.5

2.5.1

2.5.3

2.6

2.6.1

2.6.10

2.6.11

2.6.12

2.6.15

2.6.16

2.6.17

2.6.18

2.6.19

2.6.2

2.6.20

2.6.20.2

2.6.21

2.6.22

2.6.24

2.6.25

2.6.3

2.6.4

2.6.6

2.6.7

2.6.8

2.6.9

2.7

2.7.10

2.7.2

2.7.3

2.7.4

2.7.6

2.7.7

2.7.7.1

2.7.8

2.7.9

2.8

2.8.2

2.8.3

2.8.4

2.8.5

2.8.7