Plattform
wordpress
Komponente
bit-form
Behoben in
2.17.5
A Server-Side Request Forgery (SSRF) vulnerability exists in the Contact Form by Bit Form plugin for WordPress, affecting versions up to and including 2.17.4. This flaw allows authenticated attackers with administrator-level access to initiate web requests to arbitrary locations, effectively leveraging the plugin to query or modify internal services. The vulnerability has been publicly disclosed and a patch is available.
The SSRF vulnerability allows an authenticated administrator to craft malicious webhooks that send requests to internal resources or external systems. This could lead to sensitive data exposure, unauthorized access to internal APIs, or even potential modification of internal configurations. An attacker could, for example, attempt to access internal databases or services that are not directly exposed to the internet. In a Multisite environment, the vulnerability could potentially impact multiple sites within the same installation. While the CVSS score is LOW, the potential for internal reconnaissance and lateral movement within a WordPress environment makes this a significant concern.
This vulnerability was publicly disclosed on 2025-01-25. There are currently no known public exploits or active campaigns targeting this specific SSRF vulnerability. It is not listed on the CISA KEV catalog at the time of writing. While the CVSS score is low, the ease of exploitation for administrators with access warrants prompt remediation.
WordPress websites utilizing the Contact Form by Bit Form plugin, particularly those with administrator accounts and internal services accessible via HTTP or HTTPS. Shared hosting environments where multiple WordPress sites share the same server infrastructure are also at increased risk, as a compromised administrator account on one site could potentially be used to exploit the vulnerability on other sites.
• wordpress / composer / npm:
grep -r 'Webhook_url' /var/www/html/wp-content/plugins/contact-form-by-bit-form/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/contact-form-by-bit-form/webhook.php | grep -i 'server:'disclosure
Exploit-Status
EPSS
0.34% (57% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the Contact Form by Bit Form plugin to version 2.18.0 or later, which contains the fix. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider temporarily restricting access to the Webhooks integration feature. Implement strict input validation on any data used in webhook URLs to prevent attackers from injecting malicious URLs. Monitor WordPress logs for unusual outbound requests originating from the plugin, which could indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger a webhook request to an internal service and verifying that the request is blocked or handled appropriately.
Actualice el plugin Contact Form by Bit Form a la última versión disponible. La vulnerabilidad de Server-Side Request Forgery (SSRF) se ha corregido en versiones posteriores a la 2.17.4. Esto evitará que atacantes autenticados con privilegios de administrador realicen solicitudes web a ubicaciones arbitrarias desde su aplicación web.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-13450 is a Server-Side Request Forgery vulnerability affecting the Contact Form by Bit Form WordPress plugin, allowing authenticated admins to make arbitrary web requests.
You are affected if you are using the Contact Form by Bit Form plugin in WordPress versions 2.17.4 or earlier. Upgrade to 2.18.0 or later to mitigate the risk.
Upgrade the Contact Form by Bit Form plugin to version 2.18.0 or later. Temporarily disable the Webhooks integration as a workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation, but the vulnerability remains a potential risk and should be addressed promptly.
Refer to the official Bit Form website and WordPress plugin repository for updates and security advisories related to CVE-2024-13450.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.