WordPress Plugin Vulnerabilities

Migration Backup Restore < 3.5.0 - Admin+ SSRF

Description

The plugin does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.

Proof of Concept

Affects Plugins

Plugin icon
wp-staging
Fixed in 3.5.0

References

CVE
CVE-2024-4469
URL
https://research.cleantalk.org/cve-2024-4469/
YouTube Video

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
d6b1270b-52c0-471d-a5fb-507e21b46310

Timeline

Publicly Published
2024-05-10 (about 1 year ago)
Added
2024-05-10 (about 1 year ago)
Last Updated
2024-05-10 (about 1 year ago)

Other

Published
Title
Published
2025-03-27
Title
Metform < 3.9.3 - Admin+ SSRF
Published
2025-11-18
Title
Responsive Lightbox & Gallery < 2.5.4 - Authenticated (Author+) Server-Side Request Forgery
Published
2013-06-21
Title
WordPress 3.5-3.5.1 HTTP API Unspecified Server Side Request Forgery (SSRF)
Published
2025-08-26
Title
Chartbeat <= 2.0.7 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2024-04-22
Title
FV Flowplayer Video Player < 7.5.45.7212 - Authenticated (Subscriber+) Server-side Request Forgery