Server-Side Request Forgery in Enfold Theme for WordPress
CVE-2024-13695

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Enfold - Responsive Multi-purpose Theme
Vendor: CVE Published:; 25 February 2025

What is CVE-2024-13695?

The Enfold theme for WordPress is susceptible to a Server-Side Request Forgery (SSRF) vulnerability due to improper validation of the 'attachment_id' parameter. This flaw affects all versions up to and including 6.0.9, enabling authenticated attackers with Subscriber-level access or higher to exploit it. By leveraging this weakness, attackers can initiate web requests to arbitrary destinations, potentially allowing them to interact with and modify internal services beyond the security perimeter of the web application.

Affected Version(s)

Enfold - Responsive Multi-Purpose Theme * <= 6.0.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/enfold-responsive-multipurpo...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Jan 23, 2025

Credit

Michael Mazzolini