CVE-2025-68500 Overview
CVE-2025-68500 is a Server-Side Request Forgery (SSRF) vulnerability in the bdthemes Prime Slider – Addons For Elementor WordPress plugin (bdthemes-prime-slider-lite). The flaw affects all versions up to and including 4.0.10. An authenticated attacker with low privileges can coerce the vulnerable WordPress server to issue HTTP requests to attacker-chosen destinations. This enables internal network reconnaissance, access to metadata services, and interaction with internal-only endpoints not normally reachable from the internet. The issue is classified under CWE-918: Server-Side Request Forgery.
Critical Impact
An authenticated attacker can pivot through the WordPress server to send crafted HTTP requests to internal services, exposing sensitive data and back-end systems.
Affected Products
- bdthemes Prime Slider – Addons For Elementor (Lite) versions through 4.0.10
- WordPress installations using the bdthemes-prime-slider-lite plugin
- Elementor-based sites relying on Prime Slider addons
Discovery Timeline
- 2025-12-24 - CVE-2025-68500 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2025-68500
Vulnerability Analysis
The Prime Slider plugin exposes functionality that accepts a user-supplied URL and triggers a server-side fetch without sufficient validation of the destination. Because the plugin does not constrain the target host, scheme, or address range, an attacker can supply URLs pointing to internal IP ranges, loopback interfaces, or cloud metadata endpoints such as 169.254.169.254. The server-side fetch executes with the privileges and network position of the WordPress host. This converts the WordPress server into a proxy for accessing resources behind perimeter controls.
The attack requires low privileges (PR:L), which on a typical WordPress deployment corresponds to a Subscriber or Contributor account. The scope change indicator means a successful attack impacts resources beyond the vulnerable plugin itself, including internal services and adjacent systems. Confidentiality and integrity impacts are rated low because the attacker reads or modifies limited data through the proxied requests.
Root Cause
The root cause is missing or insufficient validation of user-controlled URL input prior to invoking a server-side HTTP request function. The plugin does not enforce an allowlist of permitted hosts, does not reject private or reserved IP ranges, and does not restrict the URL scheme. This pattern matches the canonical SSRF weakness described in CWE-918.
Attack Vector
The attack is network-reachable and requires authentication at a low privilege level. An attacker submits a request to a Prime Slider endpoint that accepts a URL parameter and substitutes an internal target. The WordPress server then issues the request and may return response data, status codes, or timing signals to the attacker. The high attack complexity (AC:H) reflects conditions such as needing valid credentials and knowledge of internal targets.
No verified public proof-of-concept code is available. Refer to the Patchstack SSRF Vulnerability Report for technical details published by the disclosing vendor.
Detection Methods for CVE-2025-68500
Indicators of Compromise
- Outbound HTTP requests from the WordPress PHP worker process to private IP ranges such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 127.0.0.0/8
- WordPress server requests targeting cloud metadata endpoints, including 169.254.169.254 on AWS, Azure, or GCP
- Authenticated requests from Subscriber or Contributor accounts to Prime Slider AJAX or REST endpoints containing URL parameters
- Unusual web server access log entries with full URLs supplied as query or body parameters to bdthemes-prime-slider-lite handlers
Detection Strategies
- Inspect WordPress wp_remote_get and wp_remote_post call sites in plugin code for unvalidated user input reaching HTTP request functions
- Deploy egress filtering with logging at the WordPress host or container level to capture all outbound HTTP destinations
- Correlate authenticated WordPress sessions against outbound network connections initiated by the same PHP worker
- Alert on any outbound traffic from web tier hosts to RFC1918, link-local, or loopback ranges
Monitoring Recommendations
- Forward WordPress access logs, PHP-FPM logs, and web application firewall logs to a central analytics platform for query and correlation
- Monitor for repeated authenticated requests to admin-ajax.php or REST routes registered by bdthemes-prime-slider-lite
- Track creation of low-privilege WordPress accounts followed shortly by interaction with Prime Slider endpoints
How to Mitigate CVE-2025-68500
Immediate Actions Required
- Update the Prime Slider – Addons For Elementor plugin to a version later than 4.0.10 as soon as a fixed release is available from bdthemes
- Audit existing WordPress user accounts and remove unnecessary Subscriber, Contributor, and Author accounts
- Restrict outbound network access from WordPress hosts to only required external destinations
- Block access from WordPress instances to cloud instance metadata services using IMDSv2 enforcement or host-level firewall rules
Patch Information
No patched version is identified in the current advisory data. Monitor the Patchstack SSRF Vulnerability Report and the official bdthemes plugin changelog for an updated release that addresses CVE-2025-68500.
Workarounds
- Deactivate and remove the Prime Slider – Addons For Elementor plugin until a patched version is released
- Place the WordPress site behind a web application firewall and block requests containing URL parameters that reference private, loopback, or link-local IP addresses
- Enforce strict egress filtering so the WordPress server cannot reach internal subnets or cloud metadata endpoints
- Require IMDSv2 with hop limit of 1 on AWS EC2 instances hosting WordPress to neutralize metadata SSRF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

