Cyber Resilience

CVE-2024-13924

Medium

Published: 08 March 2025

Published
08 March 2025
Modified
12 March 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0007 21.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13924 is a medium-severity SSRF (CWE-918) vulnerability in Fancywp Starter Templates. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13924 is a Blind Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the Starter Templates by FancyWP plugin for WordPress. It affects all versions up to and including 2.0.0 and stems from inadequate validation via the 'http_request_host_is_external' filter. Published on March 8, 2025, the issue has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By triggering the flawed filter, they can force the web server to originate requests to arbitrary external locations, enabling blind SSRF attacks. This could allow querying or modifying data from internal services that are not directly accessible from the internet.

Advisories from Wordfence provide detailed threat intelligence on the vulnerability, while the WordPress plugin trac repository shows the relevant code in class-export.php. Mitigation likely involves updating the plugin beyond version 2.0.0, as earlier versions remain vulnerable.

EU & UK References

Vulnerability details

The Starter Templates by FancyWP plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.0.0 via the 'http_request_host_is_external' filter. This makes it possible for unauthenticated attackers to make web requests to arbitrary…

more

locations originating from the web application and can be used to query and modify information from internal services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

The SSRF vulnerability in a public-facing WordPress plugin directly enables T1190 for remote unauthenticated exploitation. It also facilitates T1046 by allowing the server to originate requests that can probe and query internal network services.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7065Shared CWE-918
CVE-2025-55150Shared CWE-918
CVE-2025-28091Shared CWE-918
CVE-2025-1849Shared CWE-918
CVE-2025-27777Shared CWE-918

Affected Assets

fancywp
starter templates
≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs, directly addressing the inadequate host validation in the 'http_request_host_is_external' filter that enables blind SSRF.

prevent

AC-4 enforces information flow control policies to restrict unauthorized outbound requests to arbitrary internal or external locations exploited in this SSRF vulnerability.

preventdetect

SC-7 monitors and controls communications at system boundaries, mitigating SSRF by blocking or detecting unexpected outbound requests from the web application.

References