Server-Side Request Forgery in Your Friendly Drag and Drop Page Builder Plugin
CVE-2024-13856

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Your Friendly Drag And Drop Page Builder — Make Builder
Vendor: CVE Published:; 22 March 2025

What is CVE-2024-13856?

The Make Builder plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF) due to a flaw in the make_builder_ajax_subscribe() function. This vulnerability allows authenticated users with Subscriber-level access and above to send unauthorized web requests to remote locations. As a result, attackers can potentially interact with internal services, compromising the security and confidentiality of sensitive information. It is crucial for users of the affected versions to take immediate action to mitigate this risk.

Affected Version(s)

Your Friendly Drag and Drop Page Builder — Make Builder * <= 1.1.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/make-builder/#developers

https://plugins.trac.wordpress.org/browser/make-builder/t...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2025
Vulnerability Reserved
Feb 10, 2025

Credit

Francesco Carlucci