Cyber Resilience

CVE-2025-8085

HighPublic PoC

Published: 08 September 2025

Published
08 September 2025
Modified
09 February 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.1640 96.6th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2025-8085 is a high-severity SSRF (CWE-918) vulnerability in Metaphorcreations Ditty. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The Ditty WordPress plugin before version 3.1.58 contains an authorization and authentication flaw in its displayItems endpoint. The issue is tracked as CVE-2025-8085 and assigned CWE-918, enabling unauthenticated requests to arbitrary URLs. It carries a CVSS 3.1 score of 8.6 reflecting network attack vector, low complexity, and no required privileges or user interaction, with impacts scoped to changed confidentiality.

Unauthenticated remote attackers can invoke the endpoint to perform server-side request forgery. Successful exploitation allows the attacker to reach internal or external resources that the WordPress server can access, potentially disclosing sensitive data without any prior authentication.

The primary public reference is the WPScan advisory located at https://wpscan.com/vulnerability/f42c37bb-1ae0-49ab-bd81-7864dff0fcff/.

EPSS probability rose from a low baseline to a peak of 0.1887 before settling at the current value of 0.1092, indicating that exploitation interest increased after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing WordPress plugin endpoint directly enables remote exploitation of the application (T1190) and specifically facilitates access to cloud instance metadata APIs (T1522) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30832Shared CWE-918
CVE-2026-28467Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-34367Shared CWE-918
CVE-2026-27829Shared CWE-918
CVE-2026-6604Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2026-33752Shared CWE-918
CVE-2026-33626Shared CWE-918
CVE-2026-0807Shared CWE-918

Affected Assets

metaphorcreations
ditty
≤ 3.1.58

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization on the displayItems endpoint to prevent unauthenticated users from triggering SSRF requests to arbitrary URLs.

prevent

Validates URL inputs to the displayItems endpoint to block server-side fetches to unauthorized internal or external resources.

prevent

Enforces information flow control policies to restrict server-initiated requests from SSRF exploitation to unauthorized destinations.

References