CVE-2024-54385 Overview
CVE-2024-54385 is a Server-Side Request Forgery (SSRF) vulnerability affecting the princeahmed Radio Player plugin for WordPress. The flaw impacts all versions up to and including 2.0.83. Attackers can abuse the plugin to issue arbitrary HTTP requests originating from the WordPress server, which can be used to probe internal networks, access cloud metadata endpoints, and interact with services that trust the server's network position.
The vulnerability is categorized as CWE-918 (Server-Side Request Forgery). It requires no authentication and no user interaction, and the EPSS score of 80.95% (99th percentile) indicates a high likelihood of exploitation attempts.
Critical Impact
Unauthenticated attackers can coerce the WordPress server into making outbound requests to attacker-chosen destinations, enabling internal reconnaissance and access to otherwise unreachable services.
Affected Products
- princeahmed Radio Player WordPress plugin (radio-player)
- All versions up to and including 2.0.83
- WordPress sites with the plugin installed and active
Discovery Timeline
- 2024-12-16 - CVE-2024-54385 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-54385
Vulnerability Analysis
The Radio Player plugin exposes functionality that fetches remote resources based on user-supplied input without adequately validating the destination URL. Because the plugin does not restrict the scheme, host, or address range of the requested resource, an attacker can supply URLs pointing to internal IP ranges, loopback addresses, or cloud provider metadata endpoints.
The scope of impact extends beyond the vulnerable component, since the WordPress server can be used as a proxy to reach systems that trust its network identity. This can expose internal admin panels, databases, or instance metadata services on cloud-hosted WordPress deployments.
Root Cause
The root cause is missing validation of remote URLs before they are dereferenced server-side. The plugin accepts attacker-controlled input and passes it to an HTTP request function without enforcing an allowlist of trusted hosts or rejecting private and reserved address ranges.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the vulnerable plugin endpoint, supplying a URL pointing at an internal or sensitive resource. The WordPress server then issues the request and may return all or part of the response to the attacker. Refer to the Patchstack SSRF Vulnerability Report for additional technical context.
No public proof-of-concept code is available at this time, so a prose description is provided instead of synthetic exploit code.
Detection Methods for CVE-2024-54385
Indicators of Compromise
- Outbound HTTP requests from the WordPress server to internal IP ranges such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 127.0.0.0/8
- Requests from the WordPress host to cloud metadata endpoints such as 169.254.169.254
- Unusual access patterns to plugin endpoints associated with the radio-player plugin in web server logs
- Spikes in outbound connections originating from the PHP worker process
Detection Strategies
- Inspect web server access logs for requests targeting radio-player AJAX or REST endpoints with URL parameters containing private or reserved IP ranges
- Correlate inbound requests to the plugin with outbound requests from the WordPress server using network flow data
- Apply web application firewall rules that flag URL parameters resolving to internal address space
Monitoring Recommendations
- Monitor egress traffic from WordPress hosts and alert on connections to 169.254.169.254 and RFC1918 ranges
- Track plugin version inventory across WordPress deployments and flag installations running radio-player version 2.0.83 or earlier
- Forward web server, PHP-FPM, and network telemetry to a centralized analytics platform for cross-source correlation
How to Mitigate CVE-2024-54385
Immediate Actions Required
- Identify all WordPress sites running the Radio Player plugin and confirm installed versions
- Update the radio-player plugin to a fixed version above 2.0.83 as soon as it is available from the vendor
- Restrict outbound network access from WordPress servers to only required destinations
- Block WordPress hosts from reaching cloud instance metadata endpoints unless explicitly required
Patch Information
Review the Patchstack SSRF Vulnerability Report for current patch status and vendor remediation details. If a patched version is not yet published, treat the plugin as vulnerable and apply compensating controls.
Workarounds
- Deactivate and remove the Radio Player plugin until a patched version is released
- Deploy a web application firewall rule that blocks requests to plugin endpoints containing URLs pointing to private, loopback, or link-local addresses
- Use network egress filtering to deny outbound HTTP requests from the WordPress server to internal subnets and metadata endpoints
- Enforce IMDSv2 on AWS-hosted WordPress instances to require session tokens for metadata access
# Example egress restriction using iptables to block metadata endpoint access
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Block outbound traffic from PHP worker to RFC1918 ranges (adjust to environment)
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
