Security Update: Additional Next.js + React Server Components Vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)

WordPress VIP continues to monitor and respond to the evolving security issues affecting React Server Components and frameworks that rely on them, including Next.js. Since our earlier advisory, several additional high-severity vulnerabilities have been published.

What’s new

Newly disclosed issues affecting React Server Components include:

  • CVE-2025-55183possible source code exposure
  • CVE-2025-55184denial-of-service conditions
  • CVE-2025-67779an update expanding the denial-of-service vulnerability class associated with CVE-2025-55184

These issues follow the earlier React2Shell (CVE-2025-55182) remote code execution vulnerability (CVSS 10.0), which continues to see active scanning and exploitation attempts globally.

Official advisories:

Customer impact

Applications using React Server Components or affected versions of Next.js may be exposed to denial-of-service behavior, unintended disclosure of source code, or other runtime issues depending on application structure and use of RSC features.

Actions taken by WordPress VIP

We have implemented protective mitigations across the platform intended to reduce exposure to known exploit patterns associated with these newly disclosed vulnerabilities. We continue to monitor for emerging techniques and will adjust mitigations as new information becomes available.

We have also contacted customers running configurations that may be affected.

Required customer action

It is imperative that all customers using React Server Components or vulnerable versions of Next.js upgrade to the latest patched releases as soon as possible. Upstream updates contain important security fixes that provide the most complete protection against these issues and future related variants.

If you are unsure whether your application is affected or need guidance on updating, please contact VIP Support.

Ongoing commitment

WordPress VIP will continue working closely with upstream maintainers and monitoring ongoing research to ensure our customers remain protected. Additional updates will be posted when new information becomes available.

Security Advisory: React and Next.js Vulnerabilities (CVE-2025-66478 / CVE-2025-55182)

WordPress VIP is aware of recently disclosed critical vulnerabilities affecting React Server Components and frameworks built on top of them, including Next.js.

Summary

On December 3, 2025, the React and Next.js teams disclosed critical vulnerabilities:

These vulnerabilities could allow unauthorized access to server-side data in certain configurations of applications using React Server Components or affected Next.js versions.

Impact on WordPress VIP customers

A limited number of VIP customers run applications built on Next.js that are impacted by these disclosures.

WordPress VIP has:

  1. Reached out directly to all customers running affected versions of Next.js.
  2. Implemented protective mitigations to shield all VIP environments from known exploit patterns.

We will continue to monitor for emerging attack signatures and adjust our mitigation strategy as new information becomes available.

Recommended actions for customers

  • If you operate a custom application using Next.js or React Server Components, please ensure you update immediately to a patched version as recommended by the upstream maintainers, and follow the guidelines our team shared directly with your organization.
  • Review official vendor guidance and changelogs:
  • If you are unsure whether your application is affected, please contact VIP Support.

Our commitment

Security is core to the WordPress VIP platform. We are actively collaborating with upstream maintainers and continuously refining mitigations to ensure all customer workloads remain protected. Updates will be provided if further information becomes available.

New Release: Trust Center

Screenshot of the Trust Center

We’re excited to share that our new WordPress VIP Trust Center is now available for your use.

The Trust Center is your one-stop destination for security and compliance information. It brings together everything you need in a single, reliable place, making it easier than ever to access the details you need.

What you’ll find inside

  • A full list of our compliance certifications and assessments.
  • Quick links to our most relevant public security and compliance resources.
  • An updates section where we share the latest compliance-related news and updates.
  • An overview of the WordPress VIP Trust Package with a request form for self-serve access.

Customers can now directly request our Trust Package, a curated set of our most frequently asked-for compliance documents (including our SOC 2 report, architecture diagram, infosec policies, test summaries, and more). Once submitted, you’ll automatically receive a download link via email.

Why this matters

The Trust Center gives you and your teams direct, on-demand access to the compliance and security resources you need, without the need to go through multiple communication channels.

Request our Trust Package

Ending OCSP Stapling Support

Effective June 27, 2025, we’re ending OCSP stapling support from our systems:

  1. Custom certificates with OCSP Must-Staple Extension
    Our systems will no longer accept TLS certificates that include the OCSP Must-Staple extension.
  2. Discontinuation of OCSP Stapling Response
    We will cease adding “TLS Certificate Status Request” extensions (also known as OCSP Stapling) to certificates we present to clients. This means that custom certificates that include “OCSP Must-Staple” will not be considered valid by TLS clients, since they will not have staple information when presented to them. TLS clients that expect staple information will also fail.

These changes only have the potential to affect customers utilizing custom TLS certificates. However, we have verified that no currently active customers are using certificates with the OCSP Must-Staple extension. Customers using Let’s Encrypt-provided certificates are not impacted, as Let’s Encrypt removed OCSP support  on May 7, 2025.

We’re phasing out OCSP stapling due to industry-wide shifts away from the protocol and towards more reliable and privacy focused alternatives like CRL / CRLite and shorter lived certificates. OCSP stapling adds operational complexity and can fail silently leading to inconsistent client behavior. These platform changes align with moves by CAB Forum (Certificate Authority/Browser Forum) to deprecate OCSP in favor of these more resilient mechanisms.  

What You Need to Do:

We’ve confirmed that none of our currently active customers are using TLS certificates with the OCSP Must-Staple extension, so no action is required at this time. However, starting June 27, 2025, our systems will no longer include OCSP stapling information in TLS handshakes. If your infrastructure or clients (such as security-hardened browsers, firewalls, or API consumers) expect a stapled OCSP response, we recommend verifying that they can gracefully handle connections without it. Future custom certificates must also not require OCSP Must-Staple to remain compatible.

More information on managing custom certificates is available in our documentation: https://docs.wpvip.com/tls/custom-cert/

If you have any questions or need support, please feel free to open a ticket.

Better Security with Step-up Authentication

Today, we’re introducing a new layer of security into the VIP Dashboard: Step-up authentication.
Step-up authentication is a security process requiring MFA verification when engaging in sensitive or high-risk actions.

This additional security measure acts as a barrier against bad actors, ensuring that even if an account is compromised, unauthorized actions are prevented. By doing so, it provides an additional layer of protection to safeguard your sites.

Why it matters

Step-up authentication dynamically increases verification requirements based on the risk level of user actions, ensuring that risky actions are validated before being executed. 

This approach enhances security, reducing the risk associated with compromised sessions.

How it works

carview.php?tsp=

Step-up authentication will provide extra protection for actions like granting users permissions, changing the deployment branch, and many more.

When completing some of these high-risk tasks or accessing sensitive resources, users will be asked to reauthenticate using one of the Multi-Factor Authentication (MFA) methods set up via VIP Authentication

Completing this process will allow users to perform other secure actions or access protected routes for one hour. Once the hour has passed, any attempt to access a protected route or perform a secure action will require reauthentication.

Users logging in via SSO won’t be affected for now.
Find out more about Step-up authentication in the VIP Dashboard in our documentation.

WordPress VIP Achieves FedRAMP Moderate ATO

We’re thrilled to announce that WordPress VIP has achieved FedRAMP Moderate Authority to Operate (ATO), making it the first managed WordPress platform to meet the rigorous security and compliance standards required for U.S. federal agencies and highly regulated industries.

For this authorization, WordPress VIP demonstrated a secure, scalable, and compliant CMS solution that empowers the largest organizations on the web, including government agencies, to deliver fast, accessible, and reliable digital experiences.

FedRAMP (Federal Risk and Authorization Management Program) is one of the most rigorous cloud security assessments in the world. It ensures that cloud-based services meet stringent security requirements before federal agencies can use them. 

What this means:

  • The vast majority of federal agencies and contractors can now leverage WordPress VIP’s secure and compliant cloud solution. 
  • Our platform includes hundreds of security controls covering encryption, access management, continuous monitoring, and incident response. Our ongoing compliance with FedRAMP standards is maintained through ongoing security scans and annual audits by certified independent assessors.
  • Customers in highly regulated industries, including healthcare, finance, and technology benefit from the same enhanced security posture.

This achievement is a testament to the dedication of our team and our ongoing investment in secure, enterprise-grade WordPress solutions. For more details, visit our announcement.

New Feature: Deny Requests Based on User Agent

We’re excited to introduce another new access control feature in the VIP Dashboard. You can now block requests based on the user agent, adding an additional layer of protection for your application powered by the VIP CDN.

carview.php?tsp=

What’s New?

This feature allows you to block requests from specific user agents, such as AI crawlers and unwanted bots, before they even reach your application. With better control of the traffic accessing your site, you can ensure that unwanted traffic doesn’t impact your app’s performance.

Rules for managing User Agent blocks can be managed in the VIP Dashboard, from the User Agents page, located under the Security Controls section of the VIP Dashboard. Requests can be blocked based on exact or partial matches of user agent strings.

Why This Matters

  • Edge-Based Denial: Requests are blocked at the VIP CDN, reducing application load and ensuring faster response times for legitimate users.
  • No Deployments Required: Easily enable and manage this feature directly from the VIP Dashboard — no code changes or deployments needed.
  • Granular Control: Set rules to block full or partial user-agent strings for better control over your traffic.
  • Independent of IP Restrictions: Use this feature alone or combine it with IP address restrictions for enhanced security.

If you’re currently using the VIP_Request_Block class in your application code to manage user agent blocks, we’ve created a guide to help you transition to this new, easier method of restricting access.

Find out more about this feature in our documentation. 

New Feature Release – Deny Requests Based on IP

We’re excited to introduce a powerful new capability for VIP customers: IP-Based Request Denial on the VIP Platform. This feature gives you direct control over who is blocked from accessing your application right in the VIP Dashboard without requiring a new code deployment.

What’s New?

With this update, you can now deny access directly at the VIP Edge level, improving your access restriction management speed and efficiency. By blocking unwanted requests earlier in the workflow, this feature enhances security and reduces manual code deployments to deny certain IPs.

In addition, we’ve made several updates to the IP Restrictions interface:

  • Add Notes to IP Restrictions: You can now include descriptive notes to track why specific IPs or ranges are denied or allowed, improving clarity for team collaboration and long-term management.
  • Updated Design: A refreshed, more intuitive interface makes managing IP restrictions easier than ever.

Checkout our documentation for more details on the new capabilities.

Why This Matters

  1. Enhanced Security: Prevent unauthorized access before it reaches your application, ensuring a safer experience for your users.
  2. Operational Efficiency: You can implement changes on the fly, without waiting for a code deployment or restarting workflows.
  3. Improved Usability: The updated interface allows you to add notes and manage restrictions, helping your team stay organized and aligned.

This feature is available now! Explore the IP Restrictions in your VIP dashboard in the Access & Routing section to streamline access control for your application. As always, we’re here to support you and empower your security, one feature at a time. Let’s make access management smarter and easier!

New Changes to Access-Controlled Files

We’ve improved how you interact with access-controlled media files in your non-production environments.

The Access-Controlled Files feature restricts access to files and media uploaded to the WordPress Media Library of a site.

https://docs.wpvip.com/access-and-routing/access-controlled-files/

Non-production environments will automatically inherit the media files access-control settings from their parent environment. 

In addition to this, you will have the flexibility to override these settings on any non-production environment, taking precedence over the parent environment’s configuration. This will give you greater control to tailor access settings for specific environments, potentially useful for testing or staging scenarios.

However, it’s important to be cautious when overriding these settings:

  • Security Risks: Allowing more open access in non-production environments can inadvertently expose sensitive media files, especially if the environment is accessible beyond your internal team.
  • Inconsistent Access: If the settings between environments differ significantly, it could lead to confusion or accidental exposure of files during deployments or migrations.

The process to configure the Access-Controlled Files settings remains the same, as detailed in the documentation.

As a reminder about media on WordPress VIP, in general, files uploaded to a WordPress production environment are automatically shared with and available to associated non-production environments.

For more details please refer to the documentation. Reach out to us if you have any questions!

New Release: Plugin Vulnerability notifications

carview.php?tsp=

We’re excited to announce plugin vulnerability notifications on WordPress VIP, enabling rapid triage and response from your teams, and enhancing your site’s security.

Effective immediately, key members of your team will automatically receive emails for HIGH and CRITICAL plugin vulnerabilities, ensuring you can take prompt action on essential security concerns. This critical notification feature is called “Important Alerts”.

Want more comprehensive coverage? Opt in to receive notifications for any vulnerabilities. All delivered through your preferred channels—Slack, Google Chat, Microsoft Teams, a webhook, or email.

We care deeply about the security of your applications running on the WordPress VIP Platform. One of the key methods we utilize to keep your application secure is vulnerability detection.

The VIP platform scans for vulnerabilities before deployment and at regular intervals after deployment, keeping you informed of vulnerabilities found. We scan the code in every pull request for known vulnerabilities before it is deployed, reporting results in easy to read GitHub comments. Deployed code is scanned for newly discovered vulnerabilities, reported on the VIP Dashboard plugins panel where you can easily create a pull request to update the plugin and fix the issue. 

Today, we’re adding notifications of all newly uncovered vulnerabilities discovered in your plugins. You can choose a combination of Slack, Google Chat, or Microsoft Teams, a general-purpose webhook URL, or an email address as destinations for plugin vulnerability notifications

If we find a vulnerability with a severity of HIGH or CRITICAL, we will proactively push an Important Alert. Important Alerts are automatically emailed to all your Organization Administrators. You can easily add additional destinations from the array of supported communications channels, ensuring critical messages always reach the right members of your team or are routed to your own on-call management systems.

To manage your destinations for important alerts:

  1. For any organization choose “Notifications” from the left hand menu
  2. Choose “Manage Alerts” from the “Important Alerts” area near the top of the screen
  3. …from the “Important Alerts” panel the customer can add new or existing destinations, and remove any destinations previously added

To subscribe to newly discovered plugin vulnerabilities for an organisation or application:

  1. For any organization or any application environment choose “Notifications” from the left hand menu
  2. “Add Notification” and choose “Plugin Vulnerabilities”, then configure your notification as usual

If you have any questions or concerns related to this upcoming change, please open a support ticket and we will be happy to assist.