CVE-2025-63010 MEDIUM

CVE-2025-63010: WordPress Hercules Core plugin <= 7.4 - Server Side Request Forgery (SSRF) vulnerability

Vendor Themesinflow
Product Hercules Core
Weakness CWE-918 · SSRF
Published December 9, 2025
Last update April 28, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.

Explanation of Vulnerability in Simple Terms

02Summary

Hercules Core versions 7.4 and earlier contain a server-side request forgery vulnerability. An authenticated attacker with low privileges can make the site send HTTP requests to internal or external systems on their behalf. The impact is limited to reading non-sensitive data and making minor modifications. Exploitation requires network access and specific conditions to be met.

What an attacker can do

03Attacker Capabilities

Make the site send HTTP requests to internal systems or external servers on the attacker's behalf.

Potential impact on your site

04Site Impact

Attackers with low-privilege accounts can probe internal infrastructure or interact with external services using your site's IP address.

Conditions required to exploit

05Prerequisites

Attacker must have low-level authenticated access to the site; no user interaction required.

Key dates

06Disclosure timeline

December 9, 2025 CVE published
April 28, 2026 Record updated