Server-Side Request Forgery in Enfold Theme for WordPress
CVE-2024-13695
6.4MEDIUM
Key Information:
- Vendor
- Kriesi
- Status
- Enfold - Responsive Multi-purpose Theme
- Vendor
- CVE Published:
- 25 February 2025
Summary
The Enfold theme for WordPress is susceptible to a Server-Side Request Forgery (SSRF) vulnerability due to improper validation of the 'attachment_id' parameter. This flaw affects all versions up to and including 6.0.9, enabling authenticated attackers with Subscriber-level access or higher to exploit it. By leveraging this weakness, attackers can initiate web requests to arbitrary destinations, potentially allowing them to interact with and modify internal services beyond the security perimeter of the web application.
Affected Version(s)
Enfold - Responsive Multi-Purpose Theme * <= 6.0.9
References
CVSS V3.1
Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Michael Mazzolini