CVE-2025-69299
Published: 20 February 2026
Summary
CVE-2025-69299 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-69299 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Laborator Oxygen WordPress theme. The issue impacts all versions from n/a through 6.0.8, allowing SSRF attacks as described in the CVE details published on 2026-02-20. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and changed scope.
Unauthenticated attackers can exploit this SSRF vulnerability remotely with low complexity and no user interaction. Successful exploitation enables limited confidentiality and integrity impacts, such as forging requests from the server to unintended locations, potentially bypassing access controls or interacting with internal services.
The primary advisory is available from Patchstack at https://patchstack.com/database/Wordpress/Theme/oxygen/vulnerability/wordpress-oxygen-theme-6-0-8-server-side-request-forgery-ssrf-vulnerability?_s_id=cve, which details the vulnerability in the Oxygen WordPress theme version 6.0.8. Practitioners should consult this reference for specific mitigation guidance, such as applying available patches or updates beyond version 6.0.8.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207937
Vulnerability details
Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing WordPress theme directly enables remote exploitation of the application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates untrusted URL inputs supplied to the Oxygen theme to block forged server-side requests to internal or external resources.
Enforces boundary controls and egress filtering that restrict the server from initiating unauthorized outbound requests characteristic of SSRF.
Enforces information flow policies that can deny the server process from reaching unintended internal destinations via SSRF.