Refine your search
1 vulnerability found for WPGet API – Connect to any external REST API by davidanderson
CVE-2024-13857 (GCVE-0-2024-13857)
Vulnerability from cvelistv5
Published
2025-03-07 09:21
Modified
2026-04-08 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
The WPGet API – Connect to any external REST API plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| davidanderson | WPGet API – Connect to any external REST API |
Version: 0 ≤ 2.2.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13857",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T13:35:50.583158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T13:36:06.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPGet API \u2013 Connect to any external REST API",
"vendor": "davidanderson",
"versions": [
{
"lessThanOrEqual": "2.2.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPGet API \u2013 Connect to any external REST API plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:23:59.917Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd2a8e7b-6fca-49f3-ba6d-bdaa418f611a?source=cve"
},
{
"url": "https://wordpress.org/plugins/wpgetapi/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3251647/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-06T20:56:52.000Z",
"value": "Disclosed"
}
],
"title": "WPGet API \u003c= 2.2.10 - Authenticated (Administrator+) Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13857",
"datePublished": "2025-03-07T09:21:14.921Z",
"dateReserved": "2025-02-10T22:55:29.229Z",
"dateUpdated": "2026-04-08T17:23:59.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}