CVE-2024-0677
Pz-LinkCard <= 2.5.1 - Contributor+ SSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Pz-LinkCard WordPress plugin through 2.5.1 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks.
El complemento Pz-LinkCard de WordPress hasta la versión 2.5.1 no impide que los usuarios hagan ping a hosts arbitrarios a través de algunos de sus códigos cortos, lo que podría permitir a usuarios con altos privilegios, como los contribuyentes, realizar ataques SSRF.
The Pz-LinkCard plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.2 via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-01-18 CVE Reserved
- 2024-03-07 CVE Published
- 2024-03-28 EPSS Updated
- 2024-08-01 CVE Updated
- 2024-08-01 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/0f7757c9-69fa-49db-90b0-40f0ff29bee7 | 2024-08-01 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Unknown Search vendor "Unknown" | Pz-LinkCard Search vendor "Unknown" for product "Pz-LinkCard" | <= 2.5.1 Search vendor "Unknown" for product "Pz-LinkCard" and version " <= 2.5.1" | en |
Affected
| ||||||