Plattform
wordpress
Komponente
buddyforms
Behoben in
2.8.9
CVE-2024-32830 describes a Server Side Request Forgery (SSRF) vulnerability within the BuddyForms WordPress plugin. This flaw, stemming from improper limitation of a pathname, allows attackers to potentially access internal resources or perform unauthorized actions through crafted requests. The vulnerability impacts versions of BuddyForms up to and including 2.8.8, with a fix available in version 2.8.9.
The SSRF vulnerability in BuddyForms allows an attacker to craft malicious requests that originate from the server itself. This can lead to several potential impacts. An attacker could potentially access internal services that are not directly exposed to the internet, such as administrative panels or databases. They might also be able to read sensitive files or interact with other systems within the same network. The relative path traversal aspect amplifies the risk, enabling attackers to bypass intended restrictions and reach unexpected targets. This vulnerability could lead to data breaches, system compromise, and denial of service.
CVE-2024-32830 was publicly disclosed on May 17, 2024. The vulnerability's SSRF nature, combined with its ease of exploitation, suggests a potential for active scanning and exploitation. While no public proof-of-concept (PoC) code has been widely reported, the availability of SSRF exploits in general indicates a moderate risk of exploitation. It is not currently listed on CISA KEV.
WordPress sites utilizing the BuddyForms plugin, particularly those running versions 2.8.8 or earlier, are at risk. Shared hosting environments where plugin updates are managed centrally are especially vulnerable, as they may not have immediate control over plugin updates. Sites with sensitive internal resources accessible via HTTP should prioritize remediation.
• wordpress / composer / npm:
grep -r 'wp_remote_get' /var/www/html/wp-content/plugins/buddyforms/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/buddyforms/ | grep Server• wordpress / composer / npm:
wp plugin list --status=inactive | grep buddyformsdisclosure
Exploit-Status
EPSS
1.31% (80% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-32830 is to immediately upgrade BuddyForms to version 2.8.9 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences. Restrict network access to the WordPress server to only necessary ports and services. Regularly review WordPress plugin configurations and disable any unnecessary plugins to reduce the attack surface. After upgrading, confirm the fix by attempting a path traversal request and verifying that it is blocked.
Actualice el plugin BuddyForms a la última versión disponible. Si no hay una versión disponible, considere deshabilitar el plugin hasta que se publique una versión corregida. Consulte el sitio web del proveedor para obtener más información y actualizaciones.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-32830 is a Server Side Request Forgery vulnerability in the BuddyForms WordPress plugin, allowing attackers to make unauthorized requests. It has a HIGH severity rating (CVSS 8.6) and affects versions up to 2.8.8.
You are affected if you are using BuddyForms version 2.8.8 or earlier. Check your plugin version and upgrade immediately if vulnerable.
Upgrade BuddyForms to version 2.8.9 or later to patch the SSRF vulnerability. Consider WAF rules as a temporary mitigation if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly to prevent potential attacks.
Refer to the official BuddyForms website and WordPress plugin repository for the latest security advisory and update information: [https://buddyforms.com/](https://buddyforms.com/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.