Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68500

CVE-2025-68500: Prime Slider for Elementor SSRF Vulnerability

CVE-2025-68500 is a Server-Side Request Forgery flaw in bdthemes Prime Slider for Elementor affecting versions up to 4.0.10. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-68500 Overview

CVE-2025-68500 is a Server-Side Request Forgery (SSRF) vulnerability in the bdthemes Prime Slider – Addons For Elementor WordPress plugin (bdthemes-prime-slider-lite). The flaw affects all versions up to and including 4.0.10. An authenticated attacker with low privileges can coerce the vulnerable WordPress server to issue HTTP requests to attacker-chosen destinations. This enables internal network reconnaissance, access to metadata services, and interaction with internal-only endpoints not normally reachable from the internet. The issue is classified under CWE-918: Server-Side Request Forgery.

Critical Impact

An authenticated attacker can pivot through the WordPress server to send crafted HTTP requests to internal services, exposing sensitive data and back-end systems.

Affected Products

  • bdthemes Prime Slider – Addons For Elementor (Lite) versions through 4.0.10
  • WordPress installations using the bdthemes-prime-slider-lite plugin
  • Elementor-based sites relying on Prime Slider addons

Discovery Timeline

  • 2025-12-24 - CVE-2025-68500 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2025-68500

Vulnerability Analysis

The Prime Slider plugin exposes functionality that accepts a user-supplied URL and triggers a server-side fetch without sufficient validation of the destination. Because the plugin does not constrain the target host, scheme, or address range, an attacker can supply URLs pointing to internal IP ranges, loopback interfaces, or cloud metadata endpoints such as 169.254.169.254. The server-side fetch executes with the privileges and network position of the WordPress host. This converts the WordPress server into a proxy for accessing resources behind perimeter controls.

The attack requires low privileges (PR:L), which on a typical WordPress deployment corresponds to a Subscriber or Contributor account. The scope change indicator means a successful attack impacts resources beyond the vulnerable plugin itself, including internal services and adjacent systems. Confidentiality and integrity impacts are rated low because the attacker reads or modifies limited data through the proxied requests.

Root Cause

The root cause is missing or insufficient validation of user-controlled URL input prior to invoking a server-side HTTP request function. The plugin does not enforce an allowlist of permitted hosts, does not reject private or reserved IP ranges, and does not restrict the URL scheme. This pattern matches the canonical SSRF weakness described in CWE-918.

Attack Vector

The attack is network-reachable and requires authentication at a low privilege level. An attacker submits a request to a Prime Slider endpoint that accepts a URL parameter and substitutes an internal target. The WordPress server then issues the request and may return response data, status codes, or timing signals to the attacker. The high attack complexity (AC:H) reflects conditions such as needing valid credentials and knowledge of internal targets.

No verified public proof-of-concept code is available. Refer to the Patchstack SSRF Vulnerability Report for technical details published by the disclosing vendor.

Detection Methods for CVE-2025-68500

Indicators of Compromise

  • Outbound HTTP requests from the WordPress PHP worker process to private IP ranges such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 127.0.0.0/8
  • WordPress server requests targeting cloud metadata endpoints, including 169.254.169.254 on AWS, Azure, or GCP
  • Authenticated requests from Subscriber or Contributor accounts to Prime Slider AJAX or REST endpoints containing URL parameters
  • Unusual web server access log entries with full URLs supplied as query or body parameters to bdthemes-prime-slider-lite handlers

Detection Strategies

  • Inspect WordPress wp_remote_get and wp_remote_post call sites in plugin code for unvalidated user input reaching HTTP request functions
  • Deploy egress filtering with logging at the WordPress host or container level to capture all outbound HTTP destinations
  • Correlate authenticated WordPress sessions against outbound network connections initiated by the same PHP worker
  • Alert on any outbound traffic from web tier hosts to RFC1918, link-local, or loopback ranges

Monitoring Recommendations

  • Forward WordPress access logs, PHP-FPM logs, and web application firewall logs to a central analytics platform for query and correlation
  • Monitor for repeated authenticated requests to admin-ajax.php or REST routes registered by bdthemes-prime-slider-lite
  • Track creation of low-privilege WordPress accounts followed shortly by interaction with Prime Slider endpoints

How to Mitigate CVE-2025-68500

Immediate Actions Required

  • Update the Prime Slider – Addons For Elementor plugin to a version later than 4.0.10 as soon as a fixed release is available from bdthemes
  • Audit existing WordPress user accounts and remove unnecessary Subscriber, Contributor, and Author accounts
  • Restrict outbound network access from WordPress hosts to only required external destinations
  • Block access from WordPress instances to cloud instance metadata services using IMDSv2 enforcement or host-level firewall rules

Patch Information

No patched version is identified in the current advisory data. Monitor the Patchstack SSRF Vulnerability Report and the official bdthemes plugin changelog for an updated release that addresses CVE-2025-68500.

Workarounds

  • Deactivate and remove the Prime Slider – Addons For Elementor plugin until a patched version is released
  • Place the WordPress site behind a web application firewall and block requests containing URL parameters that reference private, loopback, or link-local IP addresses
  • Enforce strict egress filtering so the WordPress server cannot reach internal subnets or cloud metadata endpoints
  • Require IMDSv2 with hop limit of 1 on AWS EC2 instances hosting WordPress to neutralize metadata SSRF

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.