cbcvebase.
CVE-2020-24148
published 2021-07-07

CVE-2020-24148: Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml…

PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
14.74%
96.3th percentile
Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action.

Affected

1 ranges
VendorProductVersion rangeFixed in
mooveagencyimport_xml_and_rss_feeds

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/import-xml-feed/readme.txt
url/wp-admin/admin-ajax.php?action=moove_read_xml
commandtype=url&data=http%3A%2F%2F{{interactsh-url}}%2F&xmlaction=preview&node=0
path/wp-content/plugins/import-xml-feed/
  • Detect SSRF exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the query parameter action=moove_read_xml and a body containing type=url and an external/internal URL in the data parameter.
  • Presence of the plugin can be fingerprinted by probing /wp-content/plugins/import-xml-feed/readme.txt and checking the response body for the string 'Import XML feed'.
  • Shodan query 'http.html:"import-xml-feed"' and FOFA query 'body="import-xml-feed"' can be used to identify internet-exposed WordPress instances running the vulnerable plugin.
  • The SSRF is triggered via the 'data' parameter in a moove_read_xml action; monitor for outbound HTTP requests originating from the web server process following such POST requests.
  • ·The exploit requires no authentication (PR:N), meaning any unauthenticated HTTP client can trigger the SSRF via the admin-ajax.php endpoint without a valid WordPress session.
  • ·The vulnerability is confirmed only in plugin version 2.0.1 and below; version 2.0.2 or higher is patched.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.