CVE-2024-13904
Published: 07 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13904 is a Blind Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting the Platform.ly for WooCommerce plugin for WordPress in all versions up to and including 1.1.6. The flaw exists in the 'hooks' function, which allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-03-07.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation enables attackers to leverage the web server to query and modify information from internal services that are not directly accessible from the internet, potentially leading to data leakage or unauthorized internal interactions.
References indicate mitigation through patching. The vulnerable code is visible in the plugin source at platformly-for-woocommerce.php line 167 on the WordPress plugin trac, with a fix applied in changeset 3249460. Wordfence provides further threat intelligence details on the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated SSRF vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of public-facing applications to interact with internal services.