cbcvebase.
CVE-2024-54385
published 2024-12-16

CVE-2024-54385: Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player…

PriorityP354high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EXPLOIT
EPSS
5.11%
91.3th percentile
Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.83.

Affected

1 ranges
VendorProductVersion rangeFixed in
princeahmedradio_player<= 2.0.83

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /wp-admin/admin-ajax.php
path/wp-content/plugins/radio-player
commandaction=radio_player_get_stream_data&nonce={{nonce}}&utm_source=&url=http://{{interactsh-url}}/live.m3u8
othershodan: http.html:"/wp-content/plugins/radio-player"
otherfofa: body="/wp-content/plugins/radio-player"
  • Detect SSRF exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'radio_player_get_stream_data' and an external/internal URL in the 'url' parameter.
  • Presence of the Radio Player plugin can be fingerprinted via the string '/wp-content/plugins/radio-player' in the HTTP response body; use this for asset discovery and attack surface mapping.
  • The exploit extracts a nonce value from the page matching the regex pattern '"nonce":"([a-z0-9]+)",\s*"isPro"'; monitor for unauthenticated nonce harvesting from the WordPress frontend prior to SSRF attempts.
  • The vulnerability is exploitable by unauthenticated attackers (no authentication required); any POST to admin-ajax.php with action=radio_player_get_stream_data should be treated as suspicious regardless of session state.
  • ·The NVD advisory states the affected version range is 'from n/a through <= 2.0.83', while the Wordfence/Nuclei template states 'up to, and including, 2.0.82'. Confirm the exact patched version before deploying version-based detection rules.
  • ·The Nuclei template uses a two-step flow: first confirming plugin presence and extracting a nonce, then sending the SSRF payload. Detection logic should account for this two-request pattern rather than looking for a single anomalous request.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.