Platform
wordpress
Component
justified-image-grid
Fixed in
4.6.2
CVE-2024-43989 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Justified Image Grid WordPress plugin. This flaw allows attackers to manipulate the plugin into making requests to unintended internal or external resources, potentially exposing sensitive data or facilitating further attacks. The vulnerability impacts versions of the plugin up to and including 4.6.1, with a fix released in version 4.6.2.
An attacker exploiting this SSRF vulnerability could potentially access internal network resources that are not directly exposed to the internet. This could include accessing internal APIs, databases, or other services. Successful exploitation could lead to information disclosure, privilege escalation, or even remote code execution if the attacker can leverage the SSRF to interact with vulnerable internal systems. The impact is amplified in environments where the WordPress instance has access to sensitive internal services, as the attacker could use the plugin as a proxy to reach those services without needing direct access.
This vulnerability was publicly disclosed on 2024-09-22. There is no indication of active exploitation campaigns at this time, but the SSRF nature of the vulnerability means it could be easily exploited. No proof-of-concept code has been publicly released. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
5.03% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-43989 is to immediately upgrade the Justified Image Grid plugin to version 4.6.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests originating from the plugin that attempt to access internal resources. Additionally, review the plugin's configuration to ensure it is not configured to allow access to sensitive internal services. After upgrading, confirm the fix by attempting to trigger a request to an internal resource through the plugin; the request should be blocked or fail.
Update the Justified Image Grid plugin to the latest available version. The SSRF vulnerability allows attackers to make requests to internal or external servers from the web server. The update fixes this vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-43989 is a Server-Side Request Forgery vulnerability affecting the Justified Image Grid WordPress plugin, allowing attackers to make requests to unintended resources.
You are affected if you are using Justified Image Grid version 4.6.1 or earlier. Upgrade to 4.6.2 to mitigate the risk.
Upgrade the Justified Image Grid plugin to version 4.6.2 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.