The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata.
Metrics
Affected Vendors & Products
References
History
Tue, 17 Dec 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 17 Dec 2024 05:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata. | |
Title | WP All Import Pro <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import | |
Weaknesses | CWE-918 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-12-17T05:23:40.625Z
Updated: 2024-12-17T14:36:25.022Z
Reserved: 2024-10-08T11:19:22.388Z
Link: CVE-2024-9624
Vulnrichment
Updated: 2024-12-17T14:36:20.095Z
NVD
Status : Received
Published: 2024-12-17T06:15:21.173
Modified: 2024-12-17T06:15:21.173
Link: CVE-2024-9624
Redhat
No data.