CVE-2025-10874 | THREATINT

Description

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

PUBLISHED Reserved 2025-09-23 | Published 2025-10-24 | Updated 2025-10-24 | Assigner WPScan

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unaffected

Any version before 3.0.2

affected

Credits

Ryan Roth finder

WPScan coordinator

References

wpscan.com/...rability/171ba43f-55b6-471d-af0a-be553baf639a/ exploit vdb-entry technical-description

cve.org (CVE-2025-10874)

nvd.nist.gov (CVE-2025-10874)

Download JSON