– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14438:
The Xagio SEO WordPress plugin contains an authenticated Server-Side Request Forgery (SSRF) vulnerability in its pixabayDownloadImage function. This flaw allows users with Subscriber-level permissions or higher to force the application to make arbitrary HTTP requests to internal and external systems. The vulnerability stems from insufficient validation of user-supplied URLs and inadequate capability checks.

Root Cause: The vulnerability resides in the pixabayDownloadImage function within the file xagio-seo/modules/seo/models/xagio_tinymce.php. The function accepted user-controlled input via the POST parameter ‘img’ without proper host validation. It passed this input directly to the fetch_image method, which used wp_remote_get without safe mode restrictions. The function also lacked proper capability checks, allowing users with the ‘subscriber’ role to trigger the AJAX action. The vulnerable code path started at line 73 in the patched version, where the function performed only a nonce check before processing the URL.

Exploitation: An authenticated attacker with Subscriber privileges sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to ‘pixabayDownloadImage’. The request includes a valid WordPress nonce (obtainable from any page where the plugin loads) and the malicious target URL in the ‘img’ parameter. The ‘title’ parameter can be any string. The plugin then fetches the attacker-controlled URL and attempts to save it as an image attachment. This allows probing internal network services, accessing metadata from cloud instances, or interacting with internal APIs.

Patch Analysis: The patch introduces multiple security layers. First, it adds a capability check requiring the ‘upload_files’ capability (line 76), which restricts the function to users with at least Author-level permissions. Second, it implements strict host validation (lines 84-103), allowing only requests to pixabay.com, www.pixabay.com, and cdn.pixabay.com. Third, it replaces wp_remote_get with wp_safe_remote_get (line 160) and validates the response Content-Type header. Fourth, it adds proper parameter sanitization using esc_url_raw and additional empty checks. These changes collectively prevent SSRF by blocking non-Pixabay URLs and restricting access to higher-privileged users.

Impact: Successful exploitation enables attackers to make outbound HTTP requests from the vulnerable WordPress instance. This can lead to information disclosure from internal services, including cloud metadata endpoints (like AWS IMDS), internal APIs, or database administration interfaces. Attackers can also use the vulnerability to perform port scanning of internal networks or interact with services that accept HTTP-based commands. While the response content is processed as an image, error messages or timing differences can reveal information about internal systems.