CVE-2025-10874

MEDIUM

WordPress Orbit Fox < 3.0.2 - Stock Photo Import Server-Side Request Forgery

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10874. PoCs published by ryanmroth.

AI-analyzed exploit summary This repository contains a functional Python-based proof-of-concept exploit for CVE-2025-10874, demonstrating an SSRF vulnerability in the Orbit Fox WordPress plugin. The exploit leverages null byte injection to bypass URL validation and perform arbitrary HTTP requests from the server.

Description

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

Exploits (1)

github WORKING POC

by ryanmroth · pythonpoc

https://github.com/ryanmroth/Orbit-Fox_SSRF_CVE-2025-10874

View Code ZIP pw:eip

This repository contains a functional Python-based proof-of-concept exploit for CVE-2025-10874, demonstrating an SSRF vulnerability in the Orbit Fox WordPress plugin. The exploit leverages null byte injection to bypass URL validation and perform arbitrary HTTP requests from the server.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Orbit Fox WordPress plugin (versions < 3.0.2)

Auth required

Prerequisites: WordPress Author+ privileges · Target running vulnerable Orbit Fox plugin

MITRE ATT&CK

T1189 - Drive-by Compromise T1082 - System Information Discovery

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/171ba43f-55b6-471d-af0a-be553baf639a/

Scores

CVSS v3 5.5

EPSS 0.0016

EPSS Percentile 5.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (1)

Unknown/Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More < 3.0.2

Published Oct 24, 2025

Tracked Since Feb 18, 2026