CVE-2024-13905 Overview
The OneStore Sites plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 0.1.1. The vulnerability exists within the class-export.php file and allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. This flaw can be exploited to query and modify information from internal services, potentially exposing sensitive backend infrastructure.
Critical Impact
Unauthenticated attackers can leverage this SSRF vulnerability to access internal services, bypass firewall restrictions, and potentially exfiltrate sensitive data from systems that should not be externally accessible.
Affected Products
- sainwp onestore_sites versions up to and including 0.1.1
- WordPress installations running the OneStore Sites plugin
- Any internal services accessible from the WordPress server
Discovery Timeline
- 2025-02-27 - CVE-2024-13905 published to NVD
- 2025-03-12 - Last updated in NVD database
Technical Details for CVE-2024-13905
Vulnerability Analysis
This Server-Side Request Forgery (SSRF) vulnerability (CWE-918) allows attackers to abuse server functionality to perform requests to unintended locations. The vulnerability is particularly dangerous because it requires no authentication, meaning any external attacker can exploit it. The flaw enables both read and write operations against internal services, potentially allowing attackers to scan internal networks, access cloud metadata services, interact with internal APIs, or pivot to other systems within the network.
The vulnerability manifests in the class-export.php file within the OneStore Sites plugin. Without proper input validation and URL filtering, the application accepts attacker-controlled URLs and makes requests on behalf of the attacker from the server's network context.
Root Cause
The root cause of this vulnerability is insufficient validation of user-supplied URLs in the class-export.php file. The plugin fails to implement proper URL sanitization, allowing attackers to specify arbitrary destination addresses for server-side HTTP requests. This lack of input validation enables the server to be weaponized as a proxy for accessing internal resources that would otherwise be protected by network segmentation or firewall rules.
Attack Vector
The attack is network-based and can be executed by unauthenticated remote attackers. An attacker can craft malicious requests to the vulnerable endpoint, specifying internal IP addresses, localhost services, or cloud metadata endpoints as the target. The WordPress server then makes requests to these targets on behalf of the attacker, returning responses or performing actions that should not be accessible from external networks.
Common SSRF attack scenarios include:
- Accessing cloud instance metadata services (e.g., http://169.254.169.254/)
- Scanning internal network ports and services
- Interacting with internal REST APIs
- Accessing local services bound to localhost
- Bypassing IP-based access controls
For detailed technical information about the vulnerable code, refer to the WordPress Plugin Class Export source code and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-13905
Indicators of Compromise
- Unusual outbound requests from the WordPress server to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- HTTP requests targeting cloud metadata endpoints (169.254.169.254) from the web server
- Unexpected access to internal services or APIs that should not receive external traffic
- Log entries showing requests to the class-export.php endpoint with suspicious URL parameters
Detection Strategies
- Monitor web server logs for requests to the OneStore Sites export functionality containing internal IP addresses or localhost references
- Implement network monitoring to detect outbound connections from web servers to internal infrastructure
- Configure Web Application Firewall (WAF) rules to detect and block SSRF patterns in request parameters
- Review access logs for anomalous patterns indicating port scanning or metadata service access attempts
Monitoring Recommendations
- Enable detailed logging on the WordPress server and monitor for requests containing RFC 1918 private IP addresses
- Set up alerts for any outbound traffic from web servers to cloud metadata service IP ranges
- Implement egress filtering and monitor for violations that may indicate SSRF exploitation
- Deploy network-level monitoring to detect unusual internal service access patterns originating from web servers
How to Mitigate CVE-2024-13905
Immediate Actions Required
- Immediately deactivate and remove the OneStore Sites plugin if running version 0.1.1 or earlier
- Audit web server logs for any signs of exploitation or suspicious requests to the export functionality
- Review and restrict network egress rules for web servers to limit access to internal services
- Implement a Web Application Firewall (WAF) with SSRF protection rules
Patch Information
Currently, the affected versions include all releases up to and including 0.1.1. Website administrators should check the WordPress Plugin Directory for any updated versions that address this vulnerability. If no patched version is available, consider removing the plugin entirely and finding an alternative solution.
Workarounds
- Remove or deactivate the OneStore Sites plugin until a patched version is released
- Implement network-level controls to prevent the web server from making requests to internal IP ranges and cloud metadata services
- Deploy a WAF rule to block requests containing internal IP addresses or localhost in URL parameters
- If the plugin functionality is required, implement IP whitelisting to restrict which external URLs the server can access
# Example: Block outbound requests to internal networks (iptables)
# Apply these rules to the web server to limit SSRF impact
# Block requests to private IP ranges from web server processes
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
