WordPress Plugin Vulnerabilities

All in One SEO Pro < 4.2.6 - Admin+ SSRF

Description

The plugin does not validate a parameter before making a request to it, which could allow users with a role as low as Admin to perform SSRF attack

Affects Plugins

Plugin icon
all-in-one-seo-pack-pro
Fixed in 4.2.6

References

CVE
CVE-2022-42494

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
3.0 (low)

Miscellaneous

Original Researcher
Rafie Muhammad aka Yeraisci
Verified
No
WPVDB ID
08c5071a-d662-4ed6-94c3-3bb990f55795

Timeline

Publicly Published
2022-10-27 (about 1 years ago)
Added
2022-11-08 (about 1 years ago)
Last Updated
2022-11-08 (about 1 years ago)

Other

Published
Title
Published
2023-11-06
Title
WPB Show Core <= 2.2 - Unauthenticated Server Side Request Forgery
Published
2023-11-13
Title
Church Admin < 3.8.0 - Server-Side Request Forgery (SSRF)
Published
2023-02-10
Title
Shortcodes Ultimate < 5.12.7 - Subscriber+ SSRF
Published
2024-03-13
Title
Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
Published
2023-09-05
Title
Starter Templates <= 3.2.4 - Authenticated (Contributor+) Server-Side Request Forgery