exploitDog

CVE-2024-13360

Опубликовано: 22 янв. 2025

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Ссылки

https://plugins.trac.wordpress.org/changeset/3224162/
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cf6cbba-0e0c-4d2c-90d0-d7e0a5222df2?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:aipower:aipower:*:*:*:*:*:wordpress:*:*

Версия до 1.8.97 (исключая)

EPSS

Процентиль: 26%

0.00093

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-918

Связанные уязвимости

GHSA-prqh-6jh9-2qr5

CVSS3: 5.4

github

около 1 года назад

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

EPSS

Процентиль: 26%

0.00093

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-918