WordPress Plugin Vulnerabilities

WP Smart Import < 1.0.1 - Auhenticated Server-side Request Forgery

Description

The plugin is affected by an authenticated server-side request forgery (SSRF) vulnerability in versions before 1.0.1.

Affects Plugins

Plugin icon
wp-smart-import
Fixed in 1.0.1

References

CVE
CVE-2020-24147
URL
https://github.com/secwx/research/blob/main/cve/CVE-2020-24147.md
URL
https://plugins.trac.wordpress.org/changeset/2350545/wp-smart-import/trunk/includes/upload.php

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Suzhou Aurora Infinity Information Technology Co., Ltd.
Verified
Yes
WPVDB ID
e3da00f3-96a1-4434-8871-8133bc5c1154

Timeline

Publicly Published
2021-04-13 (about 5 years ago)
Added
2021-07-09 (about 4 years ago)
Last Updated
2021-08-10 (about 4 years ago)

Other

Published
Title
Published
2025-03-21
Title
Make Builder < 1.1.11 - Authenticated (Subscriber+) Server-Side Request Forgery via make_builder_ajax_subscribe Function
Published
2026-03-20
Title
WowOptin: Next-Gen Popup Maker < 1.4.30 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API
Published
2022-03-28
Title
EXMAGE < 1.0.7 - Admin+ Blind SSRF
Published
2025-09-26
Title
PopAd <= 1.0.4 - Authenticated (Admin+) Server-Side Request Forgery
Published
2024-04-25
Title
Auto Featured Image (Auto Post Thumbnail) < 4.1.4 - Author+ SSRF