Starter Templates <= 3.2.4 – Authenticated (Contributor+) Server-Side Request Forgery | CVE 2023-41804 | Plugin Vulnerabilities

Description

The Starter Templates (free and premium) plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.2.4 via the remote_request. This can allow authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

astra-pro-sites

Fixed in 3.2.5

Fixed in 3.2.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6e0bdbba-2b67-42b9-8c26-115d472aed0e

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

fbedd0b1-a622-4114-ab94-9575797b0c9e

Timeline

Publicly Published

2023-09-05 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2023-12-04 (about 2 years ago)

Other

Published

Title

Published

2025-09-26

Title

ZoloBlocks < 2.3.12 - Unauthenticated Sever-Side Request Forgery

Published

2014-11-30

Title

WordPress <= 4.0 - Server Side Request Forgery (SSRF)

Published

2025-05-07

Title

WP Pipes <= 1.4.3 - Authenticated (Administrator+) Server-Side Request Forgery

Published

2025-11-17

Title

Local Syndication <= 1.5a - Authenticated (Contributor+) Server-Side Request Forgery via Shortcode

Published

2022-10-27

Title

All in One SEO Pro < 4.2.6 - Admin+ SSRF