WPCafe < 2.2.24 – Unauthenticated Blind Server-Side Request Forgery | CVE 2024-1855 | Plugin Vulnerabilities

Description

The WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.23 via the wpc_check_for_submission function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application.

Affects Plugins

Fixed in 2.2.24

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5f83c19e-1b75-4fea-b4de-f7f844a449c0

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

e32eda77-dd41-4eff-82be-265993dec69a

Timeline

Publicly Published

2024-05-22 (about 2 years ago)

Added

2024-05-22 (about 2 years ago)

Last Updated

2024-05-23 (about 2 years ago)

Other

Published

Title

Published

2026-01-23

Title

Frontis Blocks < 1.1.7 - Unauthenticated Server-Side Request Forgery via 'url' Parameter

Published

2024-05-16

Title

Cost Calculator Builder Pro < 3.1.73 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2025-07-04

Title

URL Shortener <= 3.0.7 - Unauthenticated Server-Side Request Forgery

Published

2024-04-25

Title

Radio Player < 2.0.74 - Unauthenticated Server-Side Request Forgery

Published

2025-08-14

Title

B Slider - Gutenberg Slider Block for WP < 2.0.1 - Authenticated (Subscriber+) Server-Side Request Forgery