Lucene search

PRIOn knowledge basePRION:CVE-2024-0628

HistoryFeb 07, 2024 - 7:15 a.m.

Server side request forgery (ssrf)

2024-02-0707:15:00

PRIOn knowledge base

www.prio-n.com

wp rss aggregator

server-side request forgery

vulnerable plugin

web requests

arbitrary locations

authenticated attackers

internal services

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.1%

JSON

The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CPENameOperatorVersion
wp_rss_aggregatorle4.23.5

CPE	Name	Operator	Version
	wp_rss_aggregator	le	4.23.5

References

plugins.trac.wordpress.org/changeset/3029525/wp-rss-aggregator

www.wordfence.com/threat-intel/vulnerabilities/id/2154383e-eabb-4964-8991-423dd68d5efb?source=cve