WordPress Plugin Vulnerabilities

Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery

Description

The WordPress Automatic Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery and Arbitrary File Downloads in all versions up to, and including, 3.92.0. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services in addition to accessing arbitrary files on the server that may contain sensitive information.

Affects Plugins

Plugin icon
wp-automatic
Fixed in 3.92.1

References

CVE
CVE-2024-27954
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/620e8931-64f0-4d9c-9a4c-1f5a703845ff

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
53b97401-1352-477b-a69a-680b01ef7266

Timeline

Publicly Published
2024-03-13 (about 1 year ago)
Added
2024-03-20 (about 1 year ago)
Last Updated
2024-03-20 (about 1 year ago)

Other

Published
Title
Published
2025-09-05
Title
Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One <= 2.2.6 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2024-05-30
Title
Ninja Tables – Easiest Data Table Builder < 5.0.10 - Authenticated (Admin+) Server-Side Request Forgery
Published
2024-12-05
Title
Broken Link Checker < 2.4.2 - Admin+ SSRF
Published
2025-06-05
Title
Car Repair Services <= 5.0 - Unauthenticated Server-Side Request Forgery
Published
2024-07-11
Title
Seraphinite Post .DOCX Source < 2.16.10 - Authenticated (Subscriber+) Server-Side Request Forgery