CVE-2025-8594: 
WordPress vulnerability analysis and mitigation

The Pz-LinkCard WordPress plugin before version 2.5.7 contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2025-8594. The vulnerability was discovered on September 23, 2025, by security researcher Dmitrii Ignatyev. This security flaw affects users with roles as low as Contributor, who can exploit the plugin's failure to validate parameters before making requests (WPScan).

The vulnerability stems from improper parameter validation in the plugin's request handling mechanism. The SSRF vulnerability can be triggered using the blogcard shortcode with a malicious URL parameter. The proof of concept demonstrates exploitation using the syntax [blogcard url='http://127.0.0.1:8082/poc12'][/blogcard]. The vulnerability has been assigned a CVSS score of 3.8 (Low) and is classified under CWE-918 (WPScan).

When exploited, this vulnerability allows attackers with Contributor-level access or higher to perform Server-Side Request Forgery attacks. This could potentially enable attackers to probe internal networks, bypass firewall restrictions, and access internal resources that should not be accessible from external networks (WPScan).

The vulnerability has been patched in version 2.5.7 of the Pz-LinkCard plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly disclosed (WPScan).