CVE-2025-11427 MEDIUM

CVE-2025-11427: WP Migrate Lite <= 2.7.6 - Unauthenticated Blind Server-Side Request Forgery

Vendor Wpengine
Product WP Migrate Lite – Migration Made Easy
Weakness CWE-918 · SSRF
Published November 18, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to obtain information about internal services.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-67623 WordPress 6Storage Rentals plugin <= 2.22.0 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-33679 Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections CVE-2022-23644 Server-side request forgery in BookWyrm CVE-2025-53250 WordPress Chartbeat Plugin <= 2.0.7 - Server Side Request Forgery (SSRF) Vulnerability CVE-2024-1758 SuperFaktura WooCommerce <= 1.40.3 - Authenticated (Subscriber+) Blind Server-Side Request Forgery