CVE-2024-51665
Published: 04 November 2024
Summary
CVE-2024-51665 is a medium-severity SSRF (CWE-918) vulnerability in Wpthemespace Magical Addons For Elementor. Its CVSS base score is 4.9 (Medium).
Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2024-51665 with CWE-918, in the Magical Addons For Elementor WordPress plugin by Noor Alam. It affects all versions through 1.2.1 and carries a CVSS 3.1 score of 4.9.
An authenticated attacker with low privileges can exploit the issue remotely, though the attack requires high complexity. Successful exploitation allows the attacker to induce the server into making unauthorized requests, resulting in limited impacts to confidentiality and integrity within a changed security scope.
The Patchstack advisory at the referenced URL documents the SSRF vulnerability in the plugin and is the primary source for details on affected versions and remediation steps. The EPSS score has remained steady at 0.3538 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45470
Vulnerability details
Server-Side Request Forgery (SSRF) vulnerability in Noor Alam Magical Addons For Elementor magical-addons-for-elementor allows Server Side Request Forgery.This issue affects Magical Addons For Elementor: from n/a through <= 1.2.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.