CVE-2024-25915: 
WordPress vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the WordPress Pexels: Free Stock Photos plugin, affecting versions up to and including 1.2.2. The vulnerability was identified with CVE-2024-25915 and was publicly disclosed on February 12, 2024. This security issue affects the plugin developed by Raaj Trambadia (Patchstack).

The vulnerability exists in the pexels_fsp_images_options_validate() function and has received varying CVSS severity scores. The National Vulnerability Database (NVD) assigned it a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 4.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to make web requests to arbitrary locations originating from the web application. This capability can be exploited to query and modify information from internal services, potentially exposing sensitive information running on the system (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects versions up to and including 1.2.2, but no patched version has been released (Patchstack).