CVE-2025-48364: 
WordPress vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability has been identified in vEnCa-X rajce plugin affecting versions through 0.4.2. The vulnerability was discovered and reported by Nabil Irawan on July 14, 2025, and was officially published with CVE identifier CVE-2025-48364 on August 28, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N. The technical assessment indicates that the vulnerability requires network access (AV:N), has high attack complexity (AC:H), requires low privileges (PR:L), needs no user interaction (UI:N), has changed scope (S:C), and can impact both confidentiality and integrity at a low level (C:L, I:L) with no impact on availability (A:N) (Patchstack).

The SSRF vulnerability could allow a malicious actor to cause a website to execute website requests to an arbitrary domain of the attacker. This could potentially lead to the discovery of sensitive information from other services running on the system. The vulnerability requires at least Contributor-level privileges to exploit (Patchstack).

As there is no official fix available and the software appears to be abandoned (last updated over a year ago), the recommended mitigation is to remove and replace the software with an alternative solution. It's noted that simply deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).