Platform
wordpress
Component
makestories-helper
Fixed in
3.0.4
CVE-2024-38746 describes a Server-Side Request Forgery (SSRF) vulnerability within the MakeStories plugin for Google Web Stories. This flaw, stemming from improper limitation of a pathname, allows attackers to potentially make unauthorized requests to internal or external resources. Versions of MakeStories prior to 3.0.4 are affected, and a patch has been released to address the issue.
The SSRF vulnerability in MakeStories allows an attacker to craft malicious URLs that, when processed by the plugin, trigger requests to unintended destinations. This could lead to exposure of sensitive internal resources, access to administrative panels on other servers, or even the execution of arbitrary code on the server if the attacker can manipulate the request to interact with vulnerable services. The impact is amplified if the WordPress site is used to manage or connect to other critical systems, as the attacker could potentially pivot and compromise those systems as well. A successful SSRF attack could result in data breaches, system compromise, and denial of service.
CVE-2024-38746 was publicly disclosed on August 1, 2024. While no public proof-of-concept (PoC) code has been widely reported, the SSRF nature of the vulnerability makes it relatively easy to exploit. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of exploitation and potential impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting MakeStories.
Exploit Status
EPSS
0.79% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-38746 is to immediately upgrade the MakeStories plugin to version 3.0.4 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). Additionally, restrict the plugin's access to external resources by implementing stricter input validation and sanitization. Regularly review the plugin's configuration and ensure that it adheres to security best practices.
Actualice el plugin MakeStories (for Google Web Stories) a una versión posterior a la 3.0.3. Esto solucionará las vulnerabilidades de Path Traversal y Server Side Request Forgery. Puede actualizar el plugin directamente desde el panel de administración de WordPress.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-38746 is a Server-Side Request Forgery vulnerability affecting MakeStories versions up to 3.0.3, allowing attackers to make unauthorized requests. It has a CVSS score of 7.1 (HIGH).
Yes, if you are using MakeStories (for Google Web Stories) version 3.0.3 or earlier, you are vulnerable to this SSRF vulnerability.
Upgrade MakeStories to version 3.0.4 or later to resolve the vulnerability. Consider implementing WAF rules as a temporary workaround if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for active campaigns. Monitoring is advised.
Refer to the MakeStories official website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.