– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14610:
This vulnerability is an authenticated Server-Side Request Forgery (SSRF) in the TableMaster for Elementor WordPress plugin. The flaw exists in the Data Table widget’s CSV import functionality, allowing users with Author-level permissions or higher to force the plugin to make arbitrary HTTP requests. The CVSS score of 7.2 reflects the high impact of internal network probing and local file disclosure.

Atomic Edge research identifies the root cause in the `get_csv_data` function within `/modules/data-table/widgets/data-table.php`. Prior to version 1.3.7, the function processed the `csv_url` user parameter without sufficient validation. The vulnerable code at lines 437-439 used `esc_url_raw` on the user-supplied URL and then passed it directly to `wp_remote_get`. This function lacks built-in protections against internal network targets. The plugin performed no hostname resolution, IP range validation, or Content-Type checking, enabling requests to any reachable endpoint.

Exploitation requires an authenticated attacker with at least Author-level access to the WordPress site. The attacker must create or edit a post using the Elementor page builder, add a Data Table widget, and configure it to use a URL as the CSV source. The attacker then supplies a malicious URL in the `csv_url` parameter. This URL can target internal services, localhost, or file paths like `file:///var/www/html/wp-config.php`. When the page is saved or previewed, the plugin’s backend fetches the supplied URL, returning the response content to the attacker.

The patch introduces a new validation method, `is_safe_external_url`, and replaces the insecure `wp_remote_get` call with `wp_safe_remote_get`. The `is_safe_external_url` function performs multiple checks. It validates the URL structure, restricts the scheme to HTTP or HTTPS, blocks the hostnames `localhost` and `127.0.0.1`, resolves the hostname to an IP address, and filters out private and reserved IP ranges using `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE`. The patched code also adds a Content-Type header check to ensure responses are text-based. These changes collectively prevent requests to internal network segments and local services.

Successful exploitation grants attackers the ability to read sensitive files from the web server, such as `wp-config.php` containing database credentials and secret keys. Attackers can also probe internal network services, potentially accessing metadata endpoints, administrative interfaces, or other non-public applications. This can lead to full site compromise, database access, and lateral movement within the hosting environment.