プラットフォーム
wordpress
コンポーネント
seraphinite-post-docx-source
修正版
2.16.10
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Seraphinite Solutions’ Seraphinite Post .DOCX Source. This flaw allows attackers to potentially trigger unintended requests to internal or external resources, leading to unauthorized access or data exposure. The vulnerability impacts versions of Seraphinite Post .DOCX Source up to and including 2.16.9, with a fix available in version 2.16.10.
The SSRF vulnerability in Seraphinite Post .DOCX Source allows an attacker to craft malicious requests that the server will execute on their behalf. This can lead to several potential impacts. An attacker could potentially access internal services that are not directly exposed to the internet, such as databases, internal APIs, or administrative interfaces. They might also be able to read sensitive data stored within these internal systems. Furthermore, an attacker could leverage the SSRF vulnerability to scan internal networks, identify other vulnerable services, and potentially escalate their attack. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the affected WordPress instance.
CVE-2024-38728 was publicly disclosed on July 22, 2024. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available at this time, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. Monitor security advisories and threat intelligence feeds for updates.
WordPress websites utilizing the Seraphinite Post .DOCX Source plugin, particularly those with internal services accessible via HTTP/HTTPS, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't applied the patch.
• wordpress / composer / npm:
grep -r 'http://' /var/www/html/wp-content/plugins/seraphinite-post-docx-source/includes/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/seraphinite-post-docx-source/includes/some-file.php | grep -i 'server:'disclosure
エクスプロイト状況
EPSS
0.27% (51% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-38728 is to upgrade Seraphinite Post .DOCX Source to version 2.16.10 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting outbound network access from the WordPress server using a Web Application Firewall (WAF) or proxy server, configuring the server to only allow connections to specific, trusted domains. Carefully review and restrict any user-supplied input that is used to construct URLs. After upgrading, verify the fix by attempting to trigger an SSRF request and confirming that it is blocked or redirected.
Seraphinite Post .DOCX Source プラグインを最新バージョンにアップデートしてください。SSRF 脆弱性を悪用すると、攻撃者が内部サーバーへのリクエストを実行できます。アップデートによりこの脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-38728 is a Server-Side Request Forgery (SSRF) vulnerability affecting Seraphinite Post .DOCX Source versions up to 2.16.9, allowing attackers to make requests on behalf of the server.
If you are using Seraphinite Post .DOCX Source version 2.16.9 or earlier, you are potentially affected by this SSRF vulnerability.
Upgrade Seraphinite Post .DOCX Source to version 2.16.10 or later to mitigate the SSRF vulnerability. Consider temporary WAF rules if immediate upgrade is not possible.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests potential for exploitation, so vigilance is advised.
Refer to the Seraphinite Solutions website or their official communication channels for the latest advisory regarding CVE-2024-38728.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。