CVE-2024-13904
Published: 07 March 2025
Summary
CVE-2024-13904 is a medium-severity SSRF (CWE-918) vulnerability in Platformly Platform.Ly For Woocommerce. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SSRF vulnerability by identifying, patching, and verifying the fix in the 'hooks' function of the Platform.ly plugin as per changeset 3249460.
Validates inputs to the 'hooks' function to block unauthenticated attackers from supplying arbitrary URLs that trigger server-side requests to internal services.
Monitors and controls communications at the web application boundary to prevent and detect outbound requests to unauthorized internal locations exploited via SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated SSRF vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of public-facing applications to interact with internal services.
NVD Description
The Platform.ly for WooCommerce plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.6 via the 'hooks' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations…
more
originating from the web application and can be used to query and modify information from internal services.
Deeper analysisAI
CVE-2024-13904 is a Blind Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting the Platform.ly for WooCommerce plugin for WordPress in all versions up to and including 1.1.6. The flaw exists in the 'hooks' function, which allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-03-07.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation enables attackers to leverage the web server to query and modify information from internal services that are not directly accessible from the internet, potentially leading to data leakage or unauthorized internal interactions.
References indicate mitigation through patching. The vulnerable code is visible in the plugin source at platformly-for-woocommerce.php line 167 on the WordPress plugin trac, with a fix applied in changeset 3249460. Wordfence provides further threat intelligence details on the vulnerability.
Details
- CWE(s)