cbcvebase.
CVE-2024-4399
published 2024-05-23

CVE-2024-4399: The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack

PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.84%
76.3th percentile
The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/themes/cas/get_remote_data.php
pathwp-content/themes/cas/
  • Detect SSRF exploitation attempts targeting the 'url' parameter in get_remote_data.php of the CAS WordPress theme. Look for unauthenticated GET requests to /wp-content/themes/cas/get_remote_data.php with a 'url' query parameter pointing to external or internal hosts.
  • Fingerprint vulnerable CAS theme installations by searching for the string 'themes/cas' in HTTP response bodies, as used in the nuclei template's first-stage check.
  • Confirm active exploitation via out-of-band (OOB) HTTP callback: a successful SSRF will trigger an HTTP interaction from the target server to the attacker-controlled URL supplied in the 'url' parameter.
  • ·The vulnerability is exploitable without authentication (PR:N, UI:N), meaning no session or credentials are required to trigger the SSRF via the exposed PHP script.
  • ·The nuclei template uses a two-step flow: first confirming the CAS theme is present, then sending the SSRF payload. Detection logic should mirror this to reduce false positives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.