CVE-2024-13923
Published: 20 March 2025
Description
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Security Summary
CVE-2024-13923 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Order Export & Order Import for WooCommerce plugin for WordPress in all versions up to and including 2.6.0. The flaw resides in the validate_file() function, which fails to properly restrict requests, enabling unauthorized server-side interactions. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N), reflecting high confidentiality impact with changed scope due to potential access to internal resources.
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability by leveraging the plugin's functionality to initiate web requests to arbitrary locations from the web application server. This allows them to query sensitive information from internal services or, in some cases, modify data, bypassing network restrictions and exposing backend systems to reconnaissance or limited manipulation.
Advisories from Wordfence detail the vulnerability and its exploitation vectors, while a patch is available in WordPress plugin trac changeset 3258567, addressing the issue in the class-import-ajax.php file around line 175. Security practitioners should update to a version beyond 2.6.0 and review access controls for admin users on affected WordPress installations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF in public-facing WordPress plugin directly maps to T1190 for exploitation; enables internal reconnaissance of systems/services via arbitrary server requests.