CVE Alert: CVE-2025-10861 – roxnor – Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Risk verdict

High risk: unauthenticated SSRF in the WordPress plugin could reach internal services; no active exploitation confirmed, but patching should be treated as urgent.

Why this matters

Attacker capability to query internal resources from the application could enable data exposure and reconnaissance, with potential pivot to other internal systems. Business impact includes leakage of sensitive data and possible disruption of services that rely on internal APIs.

Most likely attack path

No user interaction required. An attacker provides a crafted URL in the vulnerable parameter, triggering server-side requests to the target location. This can reach internal networks or other protected resources, enabling automated, credential‑less exploitation of exposed endpoints.

Who is most exposed

Sites hosting this WordPress plugin, especially those on public hosting with WooCommerce deployments and exposed checkout/integration endpoints, are at greatest risk.

Detection ideas

• Outbound requests from the web server to internal IPs or unusual domains.
• Logs showing anomalous URL parameter values or SSRF-like fetches.
• WAF/IDS alerts for SSRF patterns or unexpected fetch destinations.
• spikes in egress to internal services tied to plugin activity.

Mitigation and prioritisation

• Upgrade to a version beyond 2.1.4; if unavailable, disable the fetch/URL parameter feature or the plugin.
• Implement network egress controls and allowlists for internal destinations.
• Apply SSRF-focused WAF rules; validate and constrain URL inputs server-side.
• Harden hosting environment (restrict URL fetch functions where feasible).
• Test in staging before deploy; monitor logs for SSRF indicators after patching.