WordPress Plugin Vulnerabilities

Wappointment < 2.6.1 - Admin+ SSRF

Description

The plugin is vulnerable to Server-Side Request Forgery, allowing authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
wappointment
Fixed in 2.6.1

References

CVE
CVE-2024-32454
URL
https://patchstack.com/database/vulnerability/wappointment/wordpress-wappointment-plugin-2-6-0-server-side-request-forgery-ssrf-vulnerability

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Manab Jyoti Dowarah
Verified
No
WPVDB ID
52df25e2-2171-4147-aa5c-989cd44166e8

Timeline

Publicly Published
2024-04-12 (about 1 year ago)
Added
2024-04-18 (about 1 year ago)
Last Updated
2024-04-29 (about 1 year ago)

Other

Published
Title
Published
2025-01-31
Title
Traveler Layout Essential For Elementor < 1.4 - Unauthenticated Server-Side Request Forgery
Published
2024-07-22
Title
AI Engine < 2.4.8 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2024-03-07
Title
Pz-LinkCard < 2.5.3 - Contributor+ SSRF
Published
2025-03-24
Title
WP Compress < 6.30.16 - Unauthenticated Server-Side Request Forgery via init Function
Published
2024-07-08
Title
Jetpack Boost < 3.4.7 - Admin+ SSRF