CVE-2025-9975: 
WordPress vulnerability analysis and mitigation

The WP Scraper plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-9975) discovered on October 10, 2025 and disclosed on October 11, 2025. This vulnerability affects all versions up to and including 5.8.1. The issue exists in the wpscraperextract_content function and impacts WordPress installations using the affected plugin versions (NVD, Wordfence).

The vulnerability is present in the wpscraperextract_content function of the plugin and has been assigned a CVSS v3.1 base score of 6.8 (Medium). The attack vector is network-accessible (AV:N), requires low attack complexity (AC:L), needs high privileges (PR:H), requires no user interaction (UI:N), and has changed scope (S:C) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N). The vulnerability is tracked as CWE-918 (Server-Side Request Forgery) (NVD).

When exploited, this vulnerability allows authenticated attackers with Administrator-level access or higher to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services. On cloud instances, the vulnerability enables metadata retrieval (NVD).

Users should upgrade to a version newer than 5.8.1 when available. Until a patch is released, administrators should consider disabling the plugin if SSRF protection is critical for their environment (NVD).