cbcvebase.
CVE-2024-54330
published 2024-12-13

CVE-2024-54330: Server-Side Request Forgery (SSRF) vulnerability in hurraki Hurrakify hurrakify allows Server Side Request Forgery.This issue affects Hurrakify: from n/a…

PriorityP349high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EXPLOIT
EPSS
1.43%
69.7th percentile
Server-Side Request Forgery (SSRF) vulnerability in hurraki Hurrakify hurrakify allows Server Side Request Forgery.This issue affects Hurrakify: from n/a through <= 2.4.

Affected

1 ranges
VendorProductVersion rangeFixed in
hurrakihurrakify<= 2.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=hurraki_tooltip_proxy&target=http://{{interactsh-url}}
path/wp-content/plugins/hurrakify
otheraction=hurraki_tooltip_proxy
  • Detect SSRF exploitation attempts by monitoring HTTP requests to /wp-admin/admin-ajax.php with the 'action=hurraki_tooltip_proxy' parameter and an external/arbitrary 'target' parameter value.
  • Identify WordPress installations with the Hurrakify plugin present by detecting the string '/wp-content/plugins/hurrakify' in HTTP response bodies (FOFA/Shodan fingerprint).
  • The vulnerability is unauthenticated — no session cookie or authentication header is required. Any unauthenticated GET request to the admin-ajax endpoint with the hurraki_tooltip_proxy action and a controlled 'target' URL should be treated as a potential exploit attempt.
  • Use out-of-band (OOB/OAST) detection: monitor for unexpected outbound HTTP requests from the WordPress server triggered by the hurraki_tooltip_proxy action, especially to interactsh or similar canary domains.
  • ·The vulnerability affects all versions of the Hurrakify plugin up to and including 2.4. Version 2.5 or later is patched.
  • ·The Nuclei template uses a two-step flow: first confirming the plugin is present via the body string, then triggering the SSRF. Detection logic should account for both conditions being true.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.