平台
wordpress
组件
wp-skitter-slideshow
修复版本
2.5.3
CVE-2022-1751 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Skitter Slideshow plugin for WordPress. This flaw allows unauthenticated attackers to initiate web requests from the WordPress application to arbitrary locations, potentially exposing internal resources and services. The vulnerability affects versions of the plugin up to and including 2.5.2. A fix is available in updated versions of the plugin.
The SSRF vulnerability in Skitter Slideshow allows attackers to craft malicious requests that originate from the WordPress server. This can be exploited to query internal services that are not directly accessible from the outside world, potentially revealing sensitive information such as database credentials, API keys, or internal network configurations. An attacker could also use this vulnerability to modify data within internal services, leading to data breaches or service disruption. The impact is amplified if the WordPress server has access to a wide range of internal resources. While no direct remote code execution is possible, the ability to interact with internal services presents a significant security risk.
CVE-2022-1751 was publicly disclosed on August 17, 2024. There is currently no indication of active exploitation in the wild, but the SSRF nature of the vulnerability makes it a potential target for opportunistic attackers. No public proof-of-concept exploits have been released. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites using the Skitter Slideshow plugin, particularly those with access to sensitive internal services or resources, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'image.php' /var/www/html/wp-content/plugins/skitter-slideshow/• generic web:
curl -I https://your-wordpress-site.com/image.php?url=http://internal-service/ | grep -i 'internal-service'disclosure
漏洞利用状态
EPSS
0.85% (75% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2022-1751 is to upgrade the Skitter Slideshow plugin to a version that contains the fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to suspicious URLs or domains. Additionally, restrict the plugin's access to internal resources by implementing network segmentation and access controls. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface. After upgrading, verify the fix by attempting to make a request to an internal service and confirming that it is blocked.
将 Skitter Slideshow 插件更新到最新可用版本。这将会修复 SSRF 漏洞并保护您的网站免受潜在攻击。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2022-1751 is a Server-Side Request Forgery vulnerability in the Skitter Slideshow WordPress plugin, allowing attackers to make requests from the server to arbitrary locations.
You are affected if you are using Skitter Slideshow plugin versions less than or equal to 2.5.2.
Upgrade the Skitter Slideshow plugin to a patched version. If upgrading is not possible, implement a WAF rule to block suspicious requests.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the WordPress plugin repository and the plugin developer's website for the latest advisory and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。