CVE-2024-54330
published 2024-12-13CVE-2024-54330: Server-Side Request Forgery (SSRF) vulnerability in hurraki Hurrakify hurrakify allows Server Side Request Forgery.This issue affects Hurrakify: from n/a…
PriorityP349high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EXPLOIT
EPSS
1.43%
69.7th percentile
Server-Side Request Forgery (SSRF) vulnerability in hurraki Hurrakify hurrakify allows Server Side Request Forgery.This issue affects Hurrakify: from n/a through <= 2.4.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hurraki | hurrakify | <= 2.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSRF exploitation attempts by monitoring HTTP requests to /wp-admin/admin-ajax.php with the 'action=hurraki_tooltip_proxy' parameter and an external/arbitrary 'target' parameter value. ↗
- →Identify WordPress installations with the Hurrakify plugin present by detecting the string '/wp-content/plugins/hurrakify' in HTTP response bodies (FOFA/Shodan fingerprint). ↗
- →The vulnerability is unauthenticated — no session cookie or authentication header is required. Any unauthenticated GET request to the admin-ajax endpoint with the hurraki_tooltip_proxy action and a controlled 'target' URL should be treated as a potential exploit attempt. ↗
- →Use out-of-band (OOB/OAST) detection: monitor for unexpected outbound HTTP requests from the WordPress server triggered by the hurraki_tooltip_proxy action, especially to interactsh or similar canary domains. ↗
- ·The vulnerability affects all versions of the Hurrakify plugin up to and including 2.4. Version 2.5 or later is patched. ↗
- ·The Nuclei template uses a two-step flow: first confirming the plugin is present via the body string, then triggering the SSRF. Detection logic should account for both conditions being true. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Hurrakify <= 2.4 - Server-Side Request Forgery
nuclei·CVSS 7.2
CVE-2024-54330 Hurrakify <= 2.4 - Server-Side Request Forgery
Hurrakify <= 2.4 - Server-Side Request Forgery
The Hurrakify plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Template:
id: CVE-2024-54330
info:
name: Hurrakify <= 2.4 - Server-Side Request Forgery
author: s4e-io
severity: high
description: |
The Hurrakify plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query a
No writeups or analysis indexed.
2024-12-13
Published