Platform
wordpress
Component
hurrakify
Fixed in
2.4.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Hurrakify WordPress plugin. This flaw allows attackers to manipulate the plugin into making requests to unintended internal or external resources, potentially exposing sensitive data or facilitating unauthorized access. The vulnerability affects versions of Hurrakify up to and including 2.4, with a fix released in version 2.4.1.
The SSRF vulnerability in Hurrakify enables an attacker to craft malicious requests that the plugin will execute on behalf of the server. This can lead to several severe consequences. An attacker could potentially access internal services that are not directly exposed to the internet, such as database servers, internal APIs, or administrative interfaces. Furthermore, they could be used to scan internal networks, exfiltrate sensitive data, or even launch attacks against other systems within the network. The blast radius extends to any internal resource accessible via HTTP/HTTPS from the WordPress server.
This vulnerability was publicly disclosed on December 13, 2024. There is currently no indication of active exploitation campaigns targeting this specific SSRF vulnerability. The CVSS score of 7.2 (HIGH) reflects the potential impact and relative ease of exploitation. No KEV listing is currently available.
Exploit Status
EPSS
32.44% (97% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-54330 is to immediately upgrade the Hurrakify plugin to version 2.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URLs or patterns indicative of SSRF attempts. Additionally, restrict the plugin's access to external resources by configuring network firewall rules to limit outbound connections. After upgrading, confirm the fix by attempting a known SSRF payload through the plugin and verifying that the request is blocked or handled securely.
Update the Hurrakify plugin to the latest available version. If no version is available that fixes the vulnerability, consider disabling the plugin until an update is released. Contact the plugin developer to request a fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-54330 is a Server-Side Request Forgery vulnerability affecting the Hurrakify WordPress plugin, allowing attackers to make requests on behalf of the server.
You are affected if you are using Hurrakify version 2.4 or earlier. Upgrade to 2.4.1 to mitigate the risk.
Upgrade the Hurrakify plugin to version 2.4.1 or later. As a temporary workaround, implement WAF rules to block suspicious requests.
There is currently no evidence of active exploitation, but the vulnerability poses a significant risk.
Refer to the official Hurrakify plugin documentation and WordPress security announcements for the latest advisory information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.