WordPress Plugin Vulnerabilities

Telefication <= 1.8.0 - Open Relay & Server-Side Request Forgery

Description

The plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests.

Affects Plugins

Plugin icon
telefication
No known fix

References

CVE
CVE-2021-39339
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39339

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
Marco Wotschka & Charles Strader Sweethill
Verified
No
WPVDB ID
8e55ed30-364e-4021-a306-3fcf52021c4c

Timeline

Publicly Published
2021-09-21 (about 4 years ago)
Added
2021-09-21 (about 4 years ago)
Last Updated
2022-04-10 (about 4 years ago)

Other

Published
Title
Published
2025-09-03
Title
WP Bannerize Pro < 1.11.0 - Authenticated (Editor+) Server-Side Request Forgery
Published
2023-08-15
Title
WP Remote Users Sync < 1.2.13 - Subscriber+ SSRF
Published
2025-02-28
Title
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss < 2.7.5 - Unauthenticated Limited Server-Side Request Forgery in nice_links
Published
2025-12-31
Title
WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite. <= 1.0.7 - Unauthenticated Server-Side Request Forgery
Published
2025-03-25
Title
Zapier for WordPress < 1.5.2 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via updated_user Function