Plattform
wordpress
Komponente
makestories-helper
Behoben in
3.0.4
CVE-2024-38746 describes a Server-Side Request Forgery (SSRF) vulnerability within the MakeStories plugin for Google Web Stories. This flaw, stemming from improper limitation of a pathname, allows attackers to potentially make unauthorized requests to internal or external resources. Versions of MakeStories prior to 3.0.4 are affected, and a patch has been released to address the issue.
An attacker exploiting this SSRF vulnerability can craft malicious Web Stories that trigger requests to arbitrary URLs. This could lead to the exposure of sensitive internal data, unauthorized access to internal services, or even potential compromise of the WordPress server itself. The attacker could potentially read configuration files, access databases, or interact with other services accessible from the WordPress environment. While direct code execution is unlikely, the SSRF vulnerability provides a significant attack vector for reconnaissance and potentially escalating privileges.
This vulnerability was publicly disclosed on August 1, 2024. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. The SSRF nature of the vulnerability means it could be leveraged for reconnaissance purposes, and the ease of exploitation could make it an attractive target for opportunistic attackers. No KEV listing is currently available.
Websites utilizing MakeStories for Google Web Stories, particularly those running versions prior to 3.0.4, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites that rely on MakeStories to integrate with internal or external APIs are also at higher risk.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/makestories/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/makestories/some-file.php?url=../sensitive-file• wordpress / composer / npm:
wp plugin list --status=active | grep makestoriesdisclosure
Exploit-Status
EPSS
0.79% (74% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-38746 is to immediately upgrade the MakeStories plugin to version 3.0.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URL patterns or to restrict outbound connections to trusted domains. Additionally, review and restrict the permissions granted to the WordPress user account running the MakeStories plugin to minimize potential impact. After upgrading, confirm the fix by attempting to create a Web Story with a URL pointing to an internal resource; the request should be blocked or denied.
Actualice el plugin MakeStories (for Google Web Stories) a una versión posterior a la 3.0.3. Esto solucionará las vulnerabilidades de Path Traversal y Server Side Request Forgery. Puede actualizar el plugin directamente desde el panel de administración de WordPress.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-38746 is a Server-Side Request Forgery vulnerability affecting MakeStories versions up to 3.0.3, allowing attackers to make unauthorized requests. It has a CVSS score of 7.1 (HIGH).
Yes, if you are using MakeStories (for Google Web Stories) version 3.0.3 or earlier, you are vulnerable to this SSRF vulnerability.
Upgrade MakeStories to version 3.0.4 or later to resolve the vulnerability. Consider implementing WAF rules as a temporary workaround if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for active campaigns. Monitoring is advised.
Refer to the MakeStories official website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.