CVE-2025-47635: 
WordPress vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in WPWebinarSystem WebinarPress plugin, identified as CVE-2025-47635. The vulnerability was initially reported on April 1, 2025, by security researcher Trương Hữu Phúc and officially published on May 7, 2025. This security issue affects WebinarPress plugin versions up to and including 1.33.27 (Wiz, Patchstack).

The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and has received varying severity assessments. The National Institute of Standards and Technology (NIST) assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack rates it at 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability requires administrator privileges to exploit (NVD, Patchstack).

The SSRF vulnerability could enable a malicious actor to execute website requests to arbitrary domains of their choosing. This capability could potentially lead to the discovery of sensitive information about other services running on the affected system (Patchstack).

As of the vulnerability disclosure, no official fix has been made available for this security issue. The vulnerability affects all versions of WebinarPress up to and including version 1.33.27 (NVD, Wiz).