WordPress Plugin Vulnerabilities

Assistant < 1.4.4 - Editor+ SSRF

Description

The plugin does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
assistant
Fixed in 1.4.4

References

CVE
CVE-2023-5798

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Ji Yuchen
Submitter
Ji Yuchen
Verified
Yes
WPVDB ID
bbb4c98c-4dd7-421e-9666-98f15acde761

Timeline

Publicly Published
2023-07-26 (about 2 years ago)
Added
2023-10-26 (about 2 years ago)
Last Updated
2023-10-26 (about 2 years ago)

Other

Published
Title
Published
2025-12-10
Title
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator < 5.1.2 - Unauthenticated Blind Server-Side Request Forgery
Published
2025-11-18
Title
Icon List Block – Add Icon-Based Lists with Custom Styles < 1.2.2 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2022-02-28
Title
Formcraft3 < 3.8.28 - Unauthenticated SSRF
Published
2024-05-16
Title
Cost Calculator Builder Pro < 3.1.73 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2024-03-26
Title
Gutenberg Blocks with AI by Kadence WP – Page Builder Features < 3.2.20 - Contributor+ Server-Side Request Forgery