CVE-2024-13904 Overview
CVE-2024-13904 is a critical Blind Server-Side Request Forgery (SSRF) vulnerability affecting the Platform.ly for WooCommerce plugin for WordPress. The vulnerability exists in all versions up to and including 1.1.6 and is located within the hooks function. This flaw allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application, potentially enabling them to query and modify information from internal services.
Critical Impact
Unauthenticated attackers can leverage this Blind SSRF vulnerability to access internal network resources, potentially exposing sensitive data and enabling modification of internal service configurations without any authentication requirements.
Affected Products
- Platform.ly for WooCommerce versions up to and including 1.1.6
- WordPress installations running the vulnerable plugin versions
- WooCommerce stores with Platform.ly integration enabled
Discovery Timeline
- 2025-03-07 - CVE-2024-13904 published to NVD
- 2025-03-13 - Last updated in NVD database
Technical Details for CVE-2024-13904
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The flaw exists within the hooks function of the Platform.ly for WooCommerce plugin, which fails to properly validate and sanitize user-supplied URLs before making server-side HTTP requests. Because this is a "blind" SSRF, the attacker does not receive direct responses from the targeted internal services, but can still use timing-based techniques and side-channel attacks to infer information or trigger actions on internal systems.
The vulnerability is particularly dangerous because it requires no authentication to exploit. An attacker can craft malicious requests that cause the WordPress server to make outbound connections to arbitrary destinations, including internal network resources that would otherwise be inaccessible from the internet.
Root Cause
The root cause of this vulnerability is improper input validation within the hooks function at line 167 of the platformly-for-woocommerce.php file. The function accepts user-controlled input for URL parameters without implementing adequate validation, allow-listing, or URL scheme restrictions. This enables attackers to specify arbitrary URLs, including those pointing to internal network addresses (such as 127.0.0.1, localhost, or private IP ranges), cloud metadata services, or other sensitive endpoints.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can remotely send crafted HTTP requests to the WordPress installation with malicious URL parameters targeting the vulnerable hooks endpoint. The server then processes these requests and initiates outbound connections to attacker-specified destinations.
Common exploitation scenarios include:
- Accessing cloud metadata services (e.g., AWS EC2 metadata at 169.254.169.254)
- Scanning internal network services and ports
- Interacting with internal APIs and databases
- Bypassing firewall restrictions by using the server as a proxy
- Retrieving sensitive configuration files from internal systems
The vulnerability can be exploited by sending specially crafted requests to the hooks function with malicious URL parameters. Technical details are available in the WordPress Plugin Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-13904
Indicators of Compromise
- Unusual outbound HTTP requests from the WordPress server to internal IP addresses or localhost
- Requests targeting cloud metadata endpoints (e.g., 169.254.169.254)
- Unexpected activity in web server logs involving the hooks function or Platform.ly plugin endpoints
- Outbound connections to unfamiliar external hosts initiated by the web application
Detection Strategies
- Monitor web application firewall (WAF) logs for requests containing internal IP addresses or suspicious URL patterns in request parameters
- Implement network-level monitoring for outbound connections from web servers to internal network ranges
- Review WordPress access logs for unauthenticated requests to Platform.ly plugin endpoints
- Deploy SSRF-specific detection rules in security monitoring tools to flag requests with localhost, private IP ranges, or cloud metadata URLs
Monitoring Recommendations
- Enable detailed logging for all outbound HTTP requests made by the WordPress application
- Configure alerting for any web server requests to RFC 1918 private IP addresses or link-local addresses
- Monitor for timing anomalies that may indicate blind SSRF exploitation attempts
- Implement egress filtering and log all blocked outbound connection attempts
How to Mitigate CVE-2024-13904
Immediate Actions Required
- Update Platform.ly for WooCommerce to the latest patched version immediately
- Audit web server logs for signs of exploitation attempts targeting the hooks function
- Implement WAF rules to block requests containing internal IP addresses or suspicious URL patterns
- Review and restrict outbound network access from web servers to only necessary destinations
Patch Information
The vendor has released a security patch addressing this vulnerability. The fix is available in the WordPress Plugin Changeset 3249460. Users should update to the patched version as soon as possible. The patch implements proper URL validation and sanitization to prevent arbitrary URL requests.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the Platform.ly for WooCommerce plugin until an update can be applied
- Implement network-level egress filtering to prevent the web server from making connections to internal network ranges
- Deploy a web application firewall with SSRF protection rules to filter malicious requests
- Restrict outbound internet access from the WordPress server to only necessary, allow-listed destinations
# Example WAF rule to block internal IP access (ModSecurity)
SecRule ARGS "@rx (127\.0\.0\.1|localhost|169\.254\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)" \
"id:1001,phase:2,deny,status:403,msg:'Potential SSRF attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
