CVE-2025-13174 MEDIUM

CVE-2025-13174: rachelos WeRSS we-mp-rss Webhook mps.py do_job server-side request forgery

Vendor Rachelos
Product WeRSS we-mp-rss
Weakness CWE-918 · SSRF
Published November 14, 2025
Last update November 14, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A weakness has been identified in rachelos WeRSS we-mp-rss up to 1.4.7. Affected by this vulnerability is the function do_job of the file /rachelos/we-mp-rss/blob/main/jobs/mps.py of the component Webhook Module. Executing manipulation of the argument web_hook_url can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.

Key dates

02Disclosure timeline

November 14, 2025 CVE published
November 14, 2025 Record updated