Server-Side Request Forgery in WeRSS by Rachelos
CVE-2025-13174

5.3MEDIUM

Key Information:

Vendor

Rachelos

Status
Werss We-mp-rss
Vendor
CVE Published:
14 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13174?

A vulnerability exists in the WeRSS component from Rachelos, specifically within the do_job function of the Webhook Module. By manipulating the web_hook_url parameter, an attacker can trigger server-side request forgery, potentially exposing sensitive information or enabling further attacks. This flaw affects WeRSS versions up to and including 1.4.7 and can be exploited remotely, making it critical for users to assess their installations and apply necessary updates.

Affected Version(s)

WeRSS we-mp-rss 1.4.0

WeRSS we-mp-rss 1.4.1

WeRSS we-mp-rss 1.4.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13174 - Proof of Concept

References

https://vuldb.com/?id.332465
vdb-entrytechnical-description
https://vuldb.com/?ctiid.332465
signaturepermissions-required
https://vuldb.com/?submit.684803
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

din4 (VulDB User)
JSON
.
CVE-2025-13174 : Server-Side Request Forgery in WeRSS by Rachelos