Plattform
wordpress
Komponente
hurrakify
Behoben in
2.4.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Hurrakify WordPress plugin. This flaw allows attackers to manipulate the plugin into making requests to unintended internal or external resources, potentially exposing sensitive data or facilitating unauthorized access. The vulnerability affects versions of Hurrakify up to and including 2.4, with a fix released in version 2.4.1.
The SSRF vulnerability in Hurrakify enables an attacker to craft malicious requests that the plugin will execute on behalf of the server. This can lead to several severe consequences. An attacker could potentially access internal services that are not directly exposed to the internet, such as database servers, internal APIs, or administrative interfaces. Furthermore, they could be used to scan internal networks, exfiltrate sensitive data, or even launch attacks against other systems within the network. The blast radius extends to any internal resource accessible via HTTP/HTTPS from the WordPress server.
This vulnerability was publicly disclosed on December 13, 2024. There is currently no indication of active exploitation campaigns targeting this specific SSRF vulnerability. The CVSS score of 7.2 (HIGH) reflects the potential impact and relative ease of exploitation. No KEV listing is currently available.
WordPress websites utilizing the Hurrakify plugin, particularly those running versions 2.4 or earlier, are at significant risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable. Sites with sensitive internal resources accessible via HTTP/HTTPS are also at higher risk.
• wordpress / composer / npm:
grep -r 'http://' /var/www/html/wp-content/plugins/hurrakify/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/hurrakify/ | grep Serverdisclosure
Exploit-Status
EPSS
32.44% (97% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-54330 is to immediately upgrade the Hurrakify plugin to version 2.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URLs or patterns indicative of SSRF attempts. Additionally, restrict the plugin's access to external resources by configuring network firewall rules to limit outbound connections. After upgrading, confirm the fix by attempting a known SSRF payload through the plugin and verifying that the request is blocked or handled securely.
Actualiza el plugin Hurrakify a la última versión disponible. Si no hay una versión disponible que corrija la vulnerabilidad, considera deshabilitar el plugin hasta que se publique una actualización. Contacta al desarrollador del plugin para solicitar una solución.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-54330 is a Server-Side Request Forgery vulnerability affecting the Hurrakify WordPress plugin, allowing attackers to make requests on behalf of the server.
You are affected if you are using Hurrakify version 2.4 or earlier. Upgrade to 2.4.1 to mitigate the risk.
Upgrade the Hurrakify plugin to version 2.4.1 or later. As a temporary workaround, implement WAF rules to block suspicious requests.
There is currently no evidence of active exploitation, but the vulnerability poses a significant risk.
Refer to the official Hurrakify plugin documentation and WordPress security announcements for the latest advisory information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.