CVE-2024-4354

Name of the Vulnerable Software and Affected Versions TablePress – Tables in WordPress made easy plugin for WordPress versions prior to 2.3

Description The issue allows authenticated attackers with author-level access and above to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services. This is possible due to a Server-Side Request Forgery vulnerability in the get files to import() function. The vulnerability poses a minimal risk to most site owners, and ideally, WordPress core would correct this issue in wp safe remote get() and other functions.

Recommendations For versions prior to 2.3, restrict the usage of the URL import functionality to just administrators as a temporary workaround until a patch is available.