WordPress Plugin Vulnerabilities

Import XML and RSS Feeds < 2.0.3 - Authenticated Server-side Request Forgery (SSRF)

Description

The plugin is affected by a Server-side request forgery (SSRF) vulnerability via the data parameter in a moove_read_xml action.

Affects Plugins

Plugin icon
import-xml-feed
Fixed in 2.0.3

References

CVE
CVE-2020-24148
URL
https://github.com/secwx/research/blob/main/cve/CVE-2020-24148.md

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Suzhou Aurora Infinity Information Technology Co., Ltd.
Verified
Yes
WPVDB ID
0b915c14-e77d-4ae7-9ac0-8a80c7316e7b

Timeline

Publicly Published
2021-04-13 (about 4 years ago)
Added
2021-07-09 (about 4 years ago)
Last Updated
2022-02-06 (about 4 years ago)

Other

Published
Title
Published
2021-04-13
Title
WP Smart Import < 1.0.1 - Auhenticated Server-side Request Forgery
Published
2025-01-24
Title
Comment Edit Core – Simple Comment Editing < 3.1.0 - Authenticated (Admin+) Server-Side Request Forgery
Published
2025-05-07
Title
Easy Replace Image < 3.5.1 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2023-11-27
Title
12 Step Meeting List < 3.14.25 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2025-06-05
Title
Car Repair Services <= 5.0 - Unauthenticated Server-Side Request Forgery