WordPress, Blind Server-Side Request Forgery, CVE-2024-34052 (Medium)

By /

Listen to this Post

The vulnerability exists within the feature for adding URL-based cron events. An attacker with Administrator privileges can create or edit a cron event and specify an arbitrary, internal IP address or hostname as the target URL. When the WordPress cron system triggers the event, it executes the `wp_remote_request()` function. This function lacks proper safety checks, allowing the request to be sent to unintended, internal systems on the server’s local network. The “Blind” aspect means the attacker does not receive the HTTP response content or timing data from the request, limiting the exploit to actions that can be performed without this feedback, such as triggering specific internal API calls.
Platform: WordPress Plugin
Version: 1.17.0-1.19.1
Vulnerability: Blind SSRF
Severity: Medium

date: 2024

Prediction: April 2024

What Undercode Say:

`curl -X POST http://target/wp-admin/admin.php?page=crontrol_admin_manage_page -d “action=new_http&hook_name=attacker_event&url=http://169.254.169.254/latest/meta-data/” -H “Cookie: admin_cookie”`

How Exploit:

1. Attacker authenticates as Administrator.

2. Navigates to WP Crontrol management page.

  1. Creates new cron event with type “HTTP Request”.
  2. Sets the URL field to an internal endpoint (e.g., `http://127.0.0.1/admin`).
  3. Saves the event. The server will make the request when the cron job runs.

    Protection from this CVE:

    Update to v1.19.2.

    Use wp_safe_remote_request().

    Validate URLs with wp_http_validate_url().

Impact:

Internal service interaction.

Data modification potential.

Privileged access required.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top