Server-Side Request Forgery Vulnerability in Import XML and RSS Feeds Plugin by WordPress
CVE-2020-24148

9.1CRITICAL

Key Information:

Vendor: Wordpress
Status: Import Xml And Rss Feeds
Vendor: CVE Published:; 7 July 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 46%

Summary

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Import XML and RSS Feeds plugin version 2.0.1 for WordPress. This flaw allows attackers to manipulate the data parameter in a moove_read_xml action, potentially leading to unauthorized access and data exposure on the server. It is essential for website administrators to update to a secure version immediately to mitigate the risk of this exploit.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-24148
Created by dwisiswant0

References

https://wordpress.org/plugins/import-xml-feed/#developers

x_refsource_MISC

https://github.com/secwx/research/blob/main/cve/CVE-2020-...

x_refsource_MISC

EPSS Score

46% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 12, 2021
👾
Exploit known to exist
Jul 12, 2021
Vulnerability published
Jul 7, 2021
Vulnerability Reserved
Aug 13, 2020