{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5817", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-06T16:38:33.740Z", "datePublished": "2025-07-02T03:47:24.666Z", "dateUpdated": "2026-04-08T16:52:16.632Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:16.632Z"}, "affected": [{"vendor": "suhailahmad64", "product": "Amazon Products to WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Amazon Products to WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.7 via the wcta2w_get_urls(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "title": "Amazon Products to WooCommerce <= 1.2.7 - Unauthenticated Server-Side Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5055cf24-14c7-4533-8900-a5f4c1435201?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/import-products-to-wc/trunk/inc/urls-ajax.php#L28"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "timeline": [{"time": "2025-07-01T14:56:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T13:00:36.007069Z", "id": "CVE-2025-5817", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:18:38.235Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5817", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-02T13:00:36.007069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:05:22.402Z"}}], "cna": {"title": "Amazon Products to WooCommerce <= 1.2.7 - Unauthenticated Server-Side Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "suhailahmad64", "product": "Amazon Products to WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-01T14:56:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5055cf24-14c7-4533-8900-a5f4c1435201?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/import-products-to-wc/trunk/inc/urls-ajax.php#L28"}], "descriptions": [{"lang": "en", "value": "The Amazon Products to WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.7 via the wcta2w_get_urls(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:16.632Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5817", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:16.632Z", "dateReserved": "2025-06-06T16:38:33.740Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-02T03:47:24.666Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suhailahmad64:amazon_products_to_woocommerce:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0DC397EF-BDEE-420B-A9EB-044427283169", "versionEndIncluding": "1.2.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Amazon Products to WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.7 via the wcta2w_get_urls(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}, {"lang": "es", "value": "El complemento Amazon Products to WooCommerce para WordPress es vulnerable a Server-Side Request Forgery en todas las versiones hasta la 1.2.7 incluida, mediante wcta2w_get_urls(). Esto permite a atacantes no autenticados realizar solicitudes web a ubicaciones arbitrarias desde la aplicaci\u00f3n web y utilizarlas para consultar y modificar informaci\u00f3n de servicios internos."}], "id": "CVE-2025-5817", "lastModified": "2025-07-16T15:53:33.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-02T04:15:58.783", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/import-products-to-wc/trunk/inc/urls-ajax.php#L28"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5055cf24-14c7-4533-8900-a5f4c1435201?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:55:51.648472+00:00", "value": {"mitigation_remediation": ["Upgrade Amazon Products to WooCommerce to the latest version that includes the fix (any release newer than 1.2.7).", "If an update cannot be applied immediately, deactivate the plugin to stop the vulnerable endpoint from being accessible.", "Configure a firewall or security plugin to block outbound HTTP(S) requests from the WordPress application, limiting the plugin\u2019s ability to contact arbitrary hosts."], "summary": {"action": "Patch Now", "impact": "Server\u2011Side Request Forgery allows unauthenticated attackers to issue arbitrary requests from the application, enabling potential disclosure or modification of internal resources."}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Amazon Products to WooCommerce plugin installed from the vendor suhailahmad64, in any version up to and including 1.2.7. The vulnerability is specific to that plugin and does not affect core WordPress or other plugins.", "description_and_impact": "The Amazon Products to WooCommerce WordPress plugin is vulnerable to a server\u2011side request forgery (CWE\u2011918) in all releases through 1.2.7. The flaw is triggered via the wcta2w_get_urls() function, which processes user\u2011supplied URLs without proper validation. An unauthenticated attacker can use this to cause the server to fetch any target host, including internal network services, thereby exposing or altering sensitive data. This can compromise confidentiality, integrity, and availability of internal systems.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% shows a very low current exploitation probability; the vulnerability is not flagged in the CISA KEV catalog. Attack requires no special credentials or privileged access\u2014it exploits an unauthenticated endpoint that can be queried by any external user. Consequently, a remote attacker can trigger the plugin to reach arbitrary URLs from the server, facilitating attacks such as internal port scanning, data exfiltration, or altering internal service state. The lack of network segmentation or firewall restrictions ups the risk of internal resource exposure."}}}}, "created": "2026-04-21T20:00:25.900954+00:00", "updated": "2026-04-21T20:00:25.900966+00:00", "vendors": []}