Cyber Resilience

CVE-2024-13904

Medium

Published: 07 March 2025

Published
07 March 2025
Modified
13 March 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0046 64.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13904 is a medium-severity SSRF (CWE-918) vulnerability in Platformly Platform.Ly For Woocommerce. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13904 is a Blind Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting the Platform.ly for WooCommerce plugin for WordPress in all versions up to and including 1.1.6. The flaw exists in the 'hooks' function, which allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-03-07.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation enables attackers to leverage the web server to query and modify information from internal services that are not directly accessible from the internet, potentially leading to data leakage or unauthorized internal interactions.

References indicate mitigation through patching. The vulnerable code is visible in the plugin source at platformly-for-woocommerce.php line 167 on the WordPress plugin trac, with a fix applied in changeset 3249460. Wordfence provides further threat intelligence details on the vulnerability.

EU & UK References

Vulnerability details

The Platform.ly for WooCommerce plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.6 via the 'hooks' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations…

more

originating from the web application and can be used to query and modify information from internal services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an unauthenticated SSRF vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of public-facing applications to interact with internal services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13923Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2024-13558Same product class: WordPress / CMS plugin
CVE-2025-1912Same product class: WordPress / CMS plugin
CVE-2025-24596Same product class: WordPress / CMS plugin
CVE-2025-1441Same product class: WordPress / CMS plugin

Affected Assets

platformly
platform.ly for woocommerce
≤ 1.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSRF vulnerability by identifying, patching, and verifying the fix in the 'hooks' function of the Platform.ly plugin as per changeset 3249460.

prevent

Validates inputs to the 'hooks' function to block unauthenticated attackers from supplying arbitrary URLs that trigger server-side requests to internal services.

preventdetect

Monitors and controls communications at the web application boundary to prevent and detect outbound requests to unauthorized internal locations exploited via SSRF.

References