CVE-2025-49418 HIGH

CVE-2025-49418: WordPress Allmart plugin <= 1.0.0 - Server Side Request Forgery (SSRF) Vulnerability

Vendor Teconcetheme

Product Allmart

Weakness CWE-918 · SSRF

Published July 4, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in TeconceTheme Allmart allmart-core allows Server Side Request Forgery.This issue affects Allmart: from n/a through <= 1.0.0.

Explanation of Vulnerability in Simple Terms

02Summary

Allmart versions up to 1.0.0 contain a server-side request forgery vulnerability that allows an attacker to make the site send HTTP requests to internal or external systems on the attacker's behalf. No authentication or user interaction is required. The vulnerability can leak sensitive information and modify data on systems the site can reach.

What an attacker can do

03Attacker Capabilities

Make the site send requests to internal systems or external servers to read data or trigger actions.

Potential impact on your site

04Site Impact

Attackers can access internal services, read sensitive data, or modify systems reachable from your server.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 4, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-49418 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities