Platform
wordpress
Component
wp-all-import-pro
Fixed in
4.9.4
CVE-2024-9624 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the WP All Import Pro plugin for WordPress. This flaw allows authenticated attackers, specifically those with administrator-level access or higher, to initiate web requests to arbitrary locations from the web application. Versions of the plugin up to and including 4.9.3 are affected, and a fix is available from the vendor.
The SSRF vulnerability in WP All Import Pro poses a significant risk to WordPress websites using the plugin. An attacker, having gained administrative privileges, can leverage this flaw to make requests to internal services that are not normally accessible from the outside. This could involve querying sensitive data, modifying configurations, or even gaining access to cloud metadata, particularly on cloud platforms like AWS, Google Cloud, or Azure. Exploitation could lead to unauthorized data disclosure, system compromise, and potential lateral movement within the network. The ability to access cloud metadata is particularly concerning, as it can expose credentials and other sensitive information used by the cloud infrastructure.
CVE-2024-9624 was publicly disclosed on December 17, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability, but the SSRF nature of the flaw makes it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the widespread use of WordPress and the WP All Import Pro plugin, suggests that this vulnerability could become a target for opportunistic attackers.
Exploit Status
EPSS
0.30% (54% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9624 is to upgrade the WP All Import Pro plugin to a version patched against the vulnerability. If immediate upgrading is not feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting outbound network access from the WordPress server using a Web Application Firewall (WAF) or proxy. Configure the WAF to block requests originating from the plugin to external domains or internal IP addresses that are not explicitly required. Regularly monitor WordPress logs for suspicious outbound requests originating from the plugin’s pmxicurldownload function. After upgrading, confirm the fix by attempting a request to an internal service and verifying that it is blocked.
Update the WP All Import Pro plugin to the latest available version. The SSRF vulnerability allows authenticated attackers to make web requests to arbitrary locations from the server, which could compromise the security of the application and internal services. The update corrects the lack of SSRF protection in the pmxi_curl_download function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9624 is a Server-Side Request Forgery vulnerability affecting the WP All Import Pro WordPress plugin, allowing attackers with admin access to make arbitrary web requests.
You are affected if you are using WP All Import Pro version 4.9.3 or earlier. Check your plugin version and upgrade immediately.
Upgrade to the latest version of WP All Import Pro, as the vendor has released a patch to address this vulnerability. If upgrading is not immediately possible, implement a WAF workaround.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official WP All Import Pro website or their WordPress plugin repository page for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.