Cyber Resilience

CVE-2025-69299

High

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0004 12.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69299 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-69299 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Laborator Oxygen WordPress theme. The issue impacts all versions from n/a through 6.0.8, allowing SSRF attacks as described in the CVE details published on 2026-02-20. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and changed scope.

Unauthenticated attackers can exploit this SSRF vulnerability remotely with low complexity and no user interaction. Successful exploitation enables limited confidentiality and integrity impacts, such as forging requests from the server to unintended locations, potentially bypassing access controls or interacting with internal services.

The primary advisory is available from Patchstack at https://patchstack.com/database/Wordpress/Theme/oxygen/vulnerability/wordpress-oxygen-theme-6-0-8-server-side-request-forgery-ssrf-vulnerability?_s_id=cve, which details the vulnerability in the Oxygen WordPress theme version 6.0.8. Practitioners should consult this reference for specific mitigation guidance, such as applying available patches or updates beyond version 6.0.8.

EU & UK References

Vulnerability details

Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing WordPress theme directly enables remote exploitation of the application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates untrusted URL inputs supplied to the Oxygen theme to block forged server-side requests to internal or external resources.

prevent

Enforces boundary controls and egress filtering that restrict the server from initiating unauthorized outbound requests characteristic of SSRF.

prevent

Enforces information flow policies that can deny the server process from reaching unintended internal destinations via SSRF.

References