Plattform
wordpress
Komponente
wp-all-import-pro
Behoben in
4.9.4
CVE-2024-9624 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the WP All Import Pro plugin for WordPress. This flaw allows authenticated attackers, specifically those with administrator-level access or higher, to initiate web requests to arbitrary locations from the web application. Versions of the plugin up to and including 4.9.3 are affected, and a fix is available from the vendor.
The SSRF vulnerability in WP All Import Pro poses a significant risk to WordPress websites using the plugin. An attacker, having gained administrative privileges, can leverage this flaw to make requests to internal services that are not normally accessible from the outside. This could involve querying sensitive data, modifying configurations, or even gaining access to cloud metadata, particularly on cloud platforms like AWS, Google Cloud, or Azure. Exploitation could lead to unauthorized data disclosure, system compromise, and potential lateral movement within the network. The ability to access cloud metadata is particularly concerning, as it can expose credentials and other sensitive information used by the cloud infrastructure.
CVE-2024-9624 was publicly disclosed on December 17, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability, but the SSRF nature of the flaw makes it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the widespread use of WordPress and the WP All Import Pro plugin, suggests that this vulnerability could become a target for opportunistic attackers.
WordPress websites utilizing the WP All Import Pro plugin, particularly those running versions prior to 4.9.3, are at risk. Websites hosted on cloud platforms (AWS, Google Cloud, Azure) are especially vulnerable due to the potential for attackers to access cloud metadata. Sites with weak password policies or compromised administrator accounts are also at higher risk.
• wordpress / plugin:
grep -r 'pmxi_curl_download' /var/www/html/wp-content/plugins/wp-all-import-pro/• wordpress / plugin:
wp plugin list | grep 'wp-all-import-pro'• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-all-import-pro/ | grep Server• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-all-import-pro/ | grep X-Powered-Bydisclosure
Exploit-Status
EPSS
0.30% (54% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9624 is to upgrade the WP All Import Pro plugin to a version patched against the vulnerability. If immediate upgrading is not feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting outbound network access from the WordPress server using a Web Application Firewall (WAF) or proxy. Configure the WAF to block requests originating from the plugin to external domains or internal IP addresses that are not explicitly required. Regularly monitor WordPress logs for suspicious outbound requests originating from the plugin’s pmxicurldownload function. After upgrading, confirm the fix by attempting a request to an internal service and verifying that it is blocked.
Aktualisieren Sie das WP All Import Pro Plugin auf die neueste verfügbare Version. Die SSRF-Schwachstelle ermöglicht es authentifizierten Angreifern, Webanfragen von Server-Seite an beliebige Orte zu senden, was die Sicherheit der Anwendung und interner Dienste gefährden könnte. Das Update behebt das Fehlen von SSRF-Schutzmaßnahmen in der Funktion pmxi_curl_download.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9624 is a Server-Side Request Forgery vulnerability affecting the WP All Import Pro WordPress plugin, allowing attackers with admin access to make arbitrary web requests.
You are affected if you are using WP All Import Pro version 4.9.3 or earlier. Check your plugin version and upgrade immediately.
Upgrade to the latest version of WP All Import Pro, as the vendor has released a patch to address this vulnerability. If upgrading is not immediately possible, implement a WAF workaround.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official WP All Import Pro website or their WordPress plugin repository page for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.