CVE-2024-9624

Name of the Vulnerable Software and Affected Versions WP All Import Pro plugin for WordPress versions up to, and including, 4.9.3

Description The issue is related to Server-Side Request Forgery due to missing SSRF protection on the pmxi curl download function. This allows authenticated attackers with Administrator-level access and above to make web requests to arbitrary locations from the web application, potentially querying and modifying information from internal services. On cloud platforms, it may also allow attackers to read Instance metadata.

Recommendations For versions up to, and including, 4.9.3, consider disabling the pmxi curl download function until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of unauthorized web requests. Update to a version higher than 4.9.3 when available.