Plateforme
wordpress
Composant
pdf-invoices-packing-slips-for-woocommerce
Corrigé dans
3.8.1
CVE-2024-3047 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the PDF Invoices & Packing Slips for WooCommerce plugin. This flaw allows unauthenticated attackers to initiate arbitrary web requests from the WordPress application, potentially accessing internal resources and sensitive data. The vulnerability affects versions of the plugin up to and including 3.8.0. A patch is available to resolve this issue.
The SSRF vulnerability in PDF Invoices & Packing Slips for WooCommerce allows an attacker to make requests to any internal service accessible to the web server. This could include accessing administrative panels, databases, or other sensitive resources that are not directly exposed to the internet. Successful exploitation could lead to data breaches, unauthorized access to internal systems, and potentially even remote code execution if internal services are vulnerable. The lack of authentication required for exploitation significantly broadens the attack surface, making it easier for malicious actors to leverage this vulnerability.
CVE-2024-3047 was publicly disclosed on May 2, 2024. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium, given the ease of exploitation and potential impact. It is added to the CISA KEV catalog.
WordPress websites utilizing the PDF Invoices & Packing Slips for WooCommerce plugin, particularly those running versions 3.8.0 or earlier, are at risk. Shared hosting environments where multiple websites share the same server infrastructure are especially vulnerable, as an attacker could potentially leverage this vulnerability to access other websites on the same server.
• wordpress / composer / npm:
grep -r 'transform(' /var/www/html/wp-content/plugins/pdf-invoices-packing-slips-for-woocommerce/includes/class-wc-pdf-invoice.php• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/pdf-invoices-packing-slips-for-woocommerce/includes/class-wc-pdf-invoice.php | grep -i 'server' # Check for internal server revealsdisclosure
Statut de l'Exploit
EPSS
0.45% (percentile 64%)
Vecteur CVSS
The primary mitigation for CVE-2024-3047 is to upgrade the PDF Invoices & Packing Slips for WooCommerce plugin to a version that includes the security patch. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to suspicious internal IP addresses or domains. Additionally, restrict the plugin's access to internal resources by implementing network segmentation and access control lists. Monitor web server logs for unusual outbound requests originating from the plugin.
Actualice el plugin PDF Invoices & Packing Slips for WooCommerce a la última versión disponible. La versión 3.8.1 o superior corrige esta vulnerabilidad de Server-Side Request Forgery (SSRF).
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-3047 is a Server-Side Request Forgery vulnerability affecting the PDF Invoices & Packing Slips for WooCommerce plugin, allowing attackers to make requests to internal services.
Yes, if you are using the PDF Invoices & Packing Slips for WooCommerce plugin version 3.8.0 or earlier, you are vulnerable to this SSRF vulnerability.
Upgrade the PDF Invoices & Packing Slips for WooCommerce plugin to the latest version, which includes a patch for this vulnerability.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official WooCommerce plugin advisory for details and updates: [https://woocommerce.com/security/](https://woocommerce.com/security/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.