CVE-2025-9975: 
WordPress vulnerability analysis and mitigation

The WP Scraper plugin for WordPress is affected by a Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2025-9975. The vulnerability exists in all versions up to and including 5.8.1, specifically in the wpscraperextract_content function. This security flaw was discovered and reported by Wordfence, with the initial disclosure date being October 11, 2025 (NVD CVE).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) with a CVSS v3.1 Base Score of 6.8 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N. The flaw exists in the wpscraperextract_content function, which fails to properly validate input, allowing authenticated users with Administrator-level access to make arbitrary web requests originating from the web application (Wordfence).

The vulnerability allows authenticated attackers with Administrator-level access to make web requests to arbitrary locations originating from the web application. This can be exploited to query and modify information from internal services. On cloud instances, the vulnerability can be particularly dangerous as it enables metadata retrieval (NVD CVE).

Users should immediately update the WP Scraper plugin to a version newer than 5.8.1 if available. If an update is not available, it is recommended to disable or remove the plugin until a patch is released (NVD CVE).