CVE-2024-13924
Published: 08 March 2025
Summary
CVE-2024-13924 is a medium-severity SSRF (CWE-918) vulnerability in Fancywp Starter Templates. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13924 is a Blind Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the Starter Templates by FancyWP plugin for WordPress. It affects all versions up to and including 2.0.0 and stems from inadequate validation via the 'http_request_host_is_external' filter. Published on March 8, 2025, the issue has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By triggering the flawed filter, they can force the web server to originate requests to arbitrary external locations, enabling blind SSRF attacks. This could allow querying or modifying data from internal services that are not directly accessible from the internet.
Advisories from Wordfence provide detailed threat intelligence on the vulnerability, while the WordPress plugin trac repository shows the relevant code in class-export.php. Mitigation likely involves updating the plugin beyond version 2.0.0, as earlier versions remain vulnerable.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54198
Vulnerability details
The Starter Templates by FancyWP plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.0.0 via the 'http_request_host_is_external' filter. This makes it possible for unauthenticated attackers to make web requests to arbitrary…
more
locations originating from the web application and can be used to query and modify information from internal services.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SSRF vulnerability in a public-facing WordPress plugin directly enables T1190 for remote unauthenticated exploitation. It also facilitates T1046 by allowing the server to originate requests that can probe and query internal network services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs, directly addressing the inadequate host validation in the 'http_request_host_is_external' filter that enables blind SSRF.
AC-4 enforces information flow control policies to restrict unauthorized outbound requests to arbitrary internal or external locations exploited in this SSRF vulnerability.
SC-7 monitors and controls communications at system boundaries, mitigating SSRF by blocking or detecting unexpected outbound requests from the web application.