CVE-2025-57984 MEDIUM

CVE-2025-57984: WordPress MakeStories (for Google Web Stories) Plugin <= 3.0.4 - Server Side Request Forgery (SSRF) Vulnerability

Vendor Pratik Ghela
Product MakeStories (for Google Web Stories)
Weakness CWE-918 · SSRF
Published September 22, 2025
Last update April 28, 2026

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in Pratik Ghela MakeStories (for Google Web Stories) makestories-helper allows Server Side Request Forgery.This issue affects MakeStories (for Google Web Stories): from n/a through <= 3.0.4.

Explanation of Vulnerability in Simple Terms

02Summary

MakeStories for Google Web Stories versions 3.0.4 and earlier contain a server-side request forgery vulnerability. An authenticated administrator can craft requests that cause the site to make HTTP calls to internal or external systems on the attacker's behalf. The impact is limited to reading non-sensitive data and making minor modifications. Scope is changed, meaning the vulnerability may affect systems beyond the plugin itself.

What an attacker can do

03Attacker Capabilities

Make the site send HTTP requests to internal or external systems and read limited data from responses.

Potential impact on your site

04Site Impact

An admin account compromise could allow an attacker to probe your internal network or exfiltrate non-sensitive data via the site.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the site; no user interaction required.

Key dates

06Disclosure timeline

September 22, 2025 CVE published
April 28, 2026 Record updated