Platform
wordpress
Component
qt-kentharadio
Fixed in
2.0.2
3.9.9.2
3.9.9.2
2.0.2
CVE-2021-24472 describes a critical Server-Side Request Forgery (SSRF) vulnerability affecting the KenthaRadio WordPress plugin, an addon for the Kentha Music WordPress theme. This flaw allows unauthenticated attackers to send arbitrary requests through the plugin's proxy functionality, potentially exposing sensitive internal resources or enabling Remote File Inclusion (RFI). The vulnerability impacts versions of the plugin up to and including 2.0.2, with a fix available in version 2.0.2.
The SSRF vulnerability in KenthaRadio allows an attacker to craft requests that the server will execute on their behalf. This can be exploited to access internal services that are not directly exposed to the internet, such as internal APIs, databases, or administrative interfaces. An attacker could potentially read sensitive data, modify configurations, or even execute arbitrary code on the server if the underlying web server is vulnerable to RFI. The impact is amplified by the plugin's widespread use within WordPress installations, potentially affecting a large number of websites. Successful exploitation could lead to data breaches, system compromise, and denial of service.
CVE-2021-24472 was publicly disclosed on 2021-06-28. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the SSRF nature of the flaw makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the risk of exploitation.
Exploit Status
EPSS
89.82% (100% percentile)
CVSS Vector
The primary mitigation for CVE-2021-24472 is to immediately upgrade the KenthaRadio plugin to version 2.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the vulnerable proxy endpoint. Specifically, block requests containing the kentharadio_proxy parameter with arbitrary values. Additionally, review and restrict the plugin's outbound network access to only necessary domains to limit the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to access an internal resource through the plugin's proxy functionality; the request should be denied.
Update to version 2.0.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-24472 is a critical SSRF vulnerability in the KenthaRadio WordPress plugin, allowing attackers to send requests through the plugin's proxy, potentially leading to RFI.
You are affected if you are using the KenthaRadio WordPress plugin version 2.0.2 or earlier. Upgrade to the latest version to mitigate the risk.
Upgrade the KenthaRadio plugin to version 2.0.2 or later. Consider implementing a WAF rule to block requests to the vulnerable proxy endpoint as a temporary workaround.
While no confirmed active exploitation campaigns are publicly known, the availability of a public proof-of-concept increases the risk of exploitation.
Refer to the KenthaRadio plugin documentation and WordPress security announcements for the official advisory regarding CVE-2021-24472.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.