Server-Side Request Forgery Vulnerability in WP All Import Pro Plugin for WordPress
CVE-2024-9624

7.6HIGH

Key Information:

Vendor: Wordpress
Status: WP All Import Pro
Vendor: CVE Published:; 17 December 2024

Summary

CVE-2024-9624 identifies a significant Server-Side Request Forgery (SSRF) vulnerability in all versions of the WP All Import Pro plugin for WordPress up to and including 4.9.3. This vulnerability arises from inadequate SSRF protection in the pmxi_curl_download function, which allows attackers with Administrator-level access to send web requests to arbitrary locations. Exploiting this flaw, authenticated attackers could potentially manipulate internal services and extract confidential data from cloud environments, including instance metadata. It underscores the importance of maintaining robust security measures in WordPress plugins to mitigate the risks posed by SSRF vulnerabilities.

Affected Version(s)

WP All Import Pro * <= 4.9.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.wpallimport.com

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 17, 2024
Vulnerability Reserved
Oct 8, 2024

Credit

Ivan Kuzymchak