Themes Vulnerabilities

CAS <= 1.0.0 - Unauthenticated SSRF

Description

The plugin does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack

Proof of Concept

Affects Themes

cas
No known fix

References

CVE
CVE-2024-4399

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Aly Khaled Aly Abd Al-aal
Submitter
Aly Khaled Aly Abd Al-aal
Submitter website
https://0x41ly.github.io/
Submitter twitter
Aly_Khal3d
Verified
Yes
WPVDB ID
0690327e-da60-4d71-8b3c-ac9533d82302

Timeline

Publicly Published
2024-05-02 (about 1 year ago)
Added
2024-05-02 (about 1 year ago)
Last Updated
2024-05-02 (about 1 year ago)

Other

Published
Title
Published
2025-05-07
Title
Display Remote Posts Block < 1.1.1 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2025-01-31
Title
Traveler Layout Essential For Elementor < 1.4 - Unauthenticated Server-Side Request Forgery
Published
2025-06-05
Title
SocialMark <= 2.0.7 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-09-26
Title
Silencesoft RSS Reader <= 0.6 - Unauthenticated Server-Side Request Forgery
Published
2023-05-02
Title
Orbit Fox < 2.10.24 - Author+ Server-Side Request Forgery