CVE-2025-67989 MEDIUM

CVE-2025-67989: WordPress Kerge theme <= 4.1.3 - Server Side Request Forgery (SSRF) vulnerability

Vendor Lmpixels

Product Kerge

Weakness CWE-918 · SSRF

Published December 16, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3.

Explanation of Vulnerability in Simple Terms

02Summary

Kerge versions up to 4.1.3 contain a server-side request forgery vulnerability that allows an attacker to make the application send HTTP requests to internal or external systems on the attacker's behalf. The vulnerability requires specific network conditions to exploit but can leak sensitive information or modify data on targeted systems. No user interaction is required.

What an attacker can do

03Attacker Capabilities

Make the site send HTTP requests to internal systems or external servers to read data or trigger actions.

Potential impact on your site

04Site Impact

Attackers could access internal services, read sensitive data, or modify resources on connected systems.

Conditions required to exploit

05Prerequisites

Network access to the vulnerable Kerge instance; specific network conditions must be present.

Key dates

06Disclosure timeline

December 16, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-67989 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities