Pz-LinkCard is a WordPress plugin with over 50,000 installations that transforms external URLs into rich, responsive card layouts using the [blogcard] shortcode. By fetching metadata—titles, thumbnails, descriptions—from remote sites, it enhances content engagement. However, a critical vulnerability—CVE-2025-8594—allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF). Because the plugin directly uses the user-supplied url attribute in server-side HTTP requests without any whitelist or validation, an attacker can coerce the server into fetching internal or arbitrary endpoints, risking data exposure, internal network probing, or remote service manipulation.
| CVE | CVE-2025-8594 |
| Plugin Version | Pz-LinkCard < 2.5.7 |
| Critical | High |
| All Time | 685 163 |
| Active installations | 50 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8594 https://wpscan.com/vulnerability/17104590-d84e-41b7-83ac-9b15fcfb537a/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| August 1, 2025 | Plugin testing and vulnerability detection in the Pz-LinkCard have been completed |
| August 1, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-8594 |
Discovery of the Vulnerability
During a comprehensive review of shortcodes in Pz-LinkCard, researchers identified that the url parameter passed to [blogcard] is concatenated directly into a wp_remote_get() call without sanitization or domain restrictions. Testing with a local internal endpoint, e.g., http://127.0.0.1:8082/poc12, triggered the server to fetch that address successfully. The absence of allowlists (e.g., enforcing only http or https or specific domains) coupled with lack of user capability checks means any visitor—authenticated or not—can issue arbitrary HTTP requests from the server context simply by embedding a malicious shortcode in a post or page.
Understanding of SSRF attack’s
SSRF vulnerabilities surface when an application fetches a URL based on untrusted input. In WordPress, similar bugs have arisen in media-proxy plugins and remote content preview features, enabling attackers to access internal services—databases, admin panels, cloud metadata endpoints—and pivot to complete compromise. For example, CVE-2024-5678 in Plugin X allowed SSRF against localhost, exposing Redis ports. CVE-2025-8594 in Pz-LinkCard follows this pattern: it inadvertently exposes the server-side HTTP client to attacker-supplied URLs, undermining network segmentation and revealing internal resources.
Exploiting the SSRF Vulnerability
To exploit CVE-2025-8594, an attacker with cookie of Contributor+:
POC:
[blogcard url='http://127.0.0.1:8082/poc12'][/blogcard]____
Unrestricted SSRF in Pz-LinkCard poses multiple risks. Attackers could:
- Access Internal Services: Query internal dashboards or databases, uncovering credentials and configurations.
- Harvest Cloud Metadata: On cloud-hosted sites, retrieve IAM tokens from
169.254.169.254, escalating to full cloud account takeover. - Conduct Internal Port Scans: Map internal network topology, finding vulnerable services.
- Bypass Firewalls: Use the WordPress server as a pivot to reach isolated resources.
Large organizations using internal-only APIs or microservices stand to leak critical infrastructure details, while eCommerce or membership sites face data theft and service disruption.
Recommendations for Improved Security
Implement URL Whitelisting: Restrict url attributes to trusted domains via regex or configuration settings.
Validate and Sanitize: Apply esc_url_raw() and ensure the scheme is http or https; reject any IP literal or non-public hostnames.
Require Authentication or Capabilities: Limit [blogcard] shortcode usage to authenticated users with specific roles or capabilities.
Use a Server-Side Proxy with Filters: Route external fetches through a proxy that enforces allowlists and rate limits.
Audit All HTTP Requests: Review plugin code for other wp_remote_* calls relying on user input and apply similar restrictions.
By taking proactive measures to address SSRF vulnerabilities like CVE-2025–8594 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #SSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.