Platform
wordpress
Component
wp-automatic
Fixed in
3.92.1
CVE-2024-27954 describes a critical Server-Side Request Forgery (SSRF) vulnerability within the WP Automatic plugin for WordPress. This flaw allows attackers to bypass intended security restrictions and make arbitrary HTTP requests on behalf of the WordPress server, potentially exposing internal resources or performing unauthorized actions. The vulnerability affects versions of WP Automatic up to and including 3.92.0, and a patch is available in version 3.92.1.
The SSRF vulnerability in WP Automatic allows an attacker to craft malicious requests that the plugin will execute on the server. This can lead to several severe consequences. An attacker could potentially access internal services that are not directly exposed to the internet, such as database servers, administration panels, or other internal APIs. They could also be used to scan the internal network for other vulnerable services. Successful exploitation could result in data breaches, unauthorized modifications to the WordPress site, or even complete server compromise. The impact is amplified if the WordPress server has access to sensitive data or is part of a larger, interconnected network.
CVE-2024-27954 was publicly disclosed on May 17, 2024. There is currently no indication of active exploitation in the wild, but the vulnerability's critical severity and ease of exploitation make it a high-priority target. No public proof-of-concept (PoC) code has been released as of this writing, but the SSRF nature of the vulnerability suggests that a PoC could be developed relatively easily. It is advisable to monitor security advisories and threat intelligence feeds for any signs of exploitation.
Exploit Status
EPSS
92.88% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-27954 is to immediately upgrade WP Automatic to version 3.92.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting outbound network access from the WordPress server using a Web Application Firewall (WAF) or proxy. Configure the WAF to block requests to known sensitive internal endpoints. Additionally, review and restrict the plugin's file access permissions to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability using a known payload and verifying that the request is blocked or fails as expected.
Update the WP Automatic plugin to the latest available version. If no version is available, consider disabling the plugin until an update is released that fixes the vulnerability. See the Patchstack reference for more details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-27954 is a critical Server-Side Request Forgery vulnerability in WP Automatic plugin for WordPress versions up to 3.92.0, allowing attackers to make unauthorized requests.
If you are using WP Automatic version 3.92.0 or earlier, you are affected by this vulnerability. Immediate action is required.
Upgrade WP Automatic to version 3.92.1 or later to resolve the SSRF vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the vulnerability's severity makes it a likely target. Continuous monitoring is recommended.
Refer to the WP Automatic website and WordPress.org security announcements for the official advisory and further details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.