CVE-2022-3708

Name of the Vulnerable Software and Affected Versions Web Stories plugin for WordPress versions up to, and including 1.24.0

Description The issue arises from insufficient validation of URLs supplied via the url parameter in the "/v1/hotlink/proxy" REST API Endpoint. This allows authenticated users to make web requests to arbitrary locations, potentially querying and modifying information from internal services.

Recommendations For versions up to, and including 1.24.0, update to a version later than 1.24.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/v1/hotlink/proxy" REST API Endpoint to minimize the risk of exploitation. Avoid using the url parameter in the affected API endpoint until the issue is resolved.