CVE-2024-13924
Published: 08 March 2025
Description
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Security Summary
CVE-2024-13924 is a Blind Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the Starter Templates by FancyWP plugin for WordPress. It affects all versions up to and including 2.0.0 and stems from inadequate validation via the 'http_request_host_is_external' filter. Published on March 8, 2025, the issue has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By triggering the flawed filter, they can force the web server to originate requests to arbitrary external locations, enabling blind SSRF attacks. This could allow querying or modifying data from internal services that are not directly accessible from the internet.
Advisories from Wordfence provide detailed threat intelligence on the vulnerability, while the WordPress plugin trac repository shows the relevant code in class-export.php. Mitigation likely involves updating the plugin beyond version 2.0.0, as earlier versions remain vulnerable.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SSRF vulnerability in a public-facing WordPress plugin directly enables T1190 for remote unauthenticated exploitation. It also facilitates T1046 by allowing the server to originate requests that can probe and query internal network services.