CVE-2025-8085

HighPublic PoC

Published: 08 September 2025

Published

08 September 2025

Modified

09 February 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.1092 93.5th percentile

Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8085 is a high-severity SSRF (CWE-918) vulnerability in Metaphorcreations Ditty. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization on the displayItems endpoint to prevent unauthenticated users from triggering SSRF requests to arbitrary URLs.

SI-10 Information Input Validation good match

prevent

Validates URL inputs to the displayItems endpoint to block server-side fetches to unauthorized internal or external resources.

AC-4 Information Flow Enforcement partial match

prevent

Enforces information flow control policies to restrict server-initiated requests from SSRF exploitation to unauthorized destinations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1522 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

SSRF in public-facing WordPress plugin endpoint directly enables remote exploitation of the application (T1190) and specifically facilitates access to cloud instance metadata APIs (T1522) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

Deeper analysisAI

CVE-2025-8085 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Ditty WordPress plugin in versions prior to 3.1.58. The flaw arises from insufficient authorization and authentication controls on the displayItems endpoint, which permits unauthenticated visitors to submit requests that cause the server to fetch content from arbitrary URLs. Published on 2025-09-08, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact across a changed scope.

Any unauthenticated internet user can exploit this vulnerability by sending crafted requests to the exposed displayItems endpoint on a vulnerable WordPress site. No privileges, user interaction, or special conditions are required, enabling remote attackers to manipulate the server into issuing HTTP requests to attacker-controlled or internal URLs. This can result in the disclosure of sensitive information accessible to the server, such as metadata from internal services, cloud metadata endpoints, or other resources not directly reachable from the internet.

The WPScan advisory at https://wpscan.com/vulnerability/f42c37bb-1ae0-49ab-bd81-7864dff0fcff/ provides further details, with mitigation achieved by upgrading the Ditty plugin to version 3.1.58 or later, which introduces the necessary authentication and authorization checks.