WordPress Plugin Vulnerabilities

WP Remote Users Sync < 1.2.13 - Subscriber+ SSRF

Description

The plugin does not validate a parameter before making a request to it via the notify_ping_remote function, allowing any authenticated users, such as subscriber to perform SSRF attack

Affects Plugins

Plugin icon
wp-remote-users-sync
Fixed in 1.2.13

References

CVE
CVE-2023-3958

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
8.5 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
13106f40-9080-48da-a75f-0cf079149ff2

Timeline

Publicly Published
2023-08-15 (about 2 years ago)
Added
2023-08-16 (about 2 years ago)
Last Updated
2023-08-16 (about 2 years ago)

Other

Published
Title
Published
2023-08-29
Title
PowerPress Podcasting < 11.0.7 - Contributor+ SSRF
Published
2026-01-03
Title
Smart Auto Upload Images – Import External Images < 1.2.3 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2024-05-16
Title
Cost Calculator Builder Pro < 3.1.73 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-07-01
Title
Amazon Products to WooCommerce <= 1.2.7 - Unauthenticated Server-Side Request Forgery
Published
2023-10-19
Title
Motors – Car Dealer & Classified Ads < 1.4.7 - Unauthenticated SSRF