WordPress Plugin Vulnerabilities

Auto Featured Image (Auto Post Thumbnail) < 4.1.4 - Author+ SSRF

Description

The plugin is vulnerable to Server-Side Request Forgery, allowing authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
auto-post-thumbnail
Fixed in 4.1.4

References

CVE
CVE-2024-33629
URL
https://patchstack.com/database/vulnerability/auto-post-thumbnail/wordpress-auto-featured-image-auto-post-thumbnail-plugin-4-0-0-server-side-request-forgery-ssrf-vulnerability

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Yuchen Ji
Verified
No
WPVDB ID
89b4df81-75c0-42a4-bfc5-dbc06a39cd4e

Timeline

Publicly Published
2024-04-25 (about 2 years ago)
Added
2024-05-01 (about 2 years ago)
Last Updated
2024-10-04 (about 1 year ago)

Other

Published
Title
Published
2025-02-14
Title
Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme < 3.1.5 - Authenticated (Contributor+) Blind Server-Side Request Forgery via remote_request
Published
2024-05-21
Title
MemberPress < 1.11.30 - Authenticated (Contributor+) Blind Server-Side Request Forgery via mepr-user-file Shortcode
Published
2026-01-21
Title
WPO365 < 40.1 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-10-14
Title
Task Scheduler <= 1.6.3 - Authenticated (Admin+) Blind Server-Side Request Forgery
Published
2026-03-03
Title
PostX < 5.0.9 - Admin+ SSRF via REST API Endpoints