Login Sign Up

CVE-2020-24147

9.1 CRITICAL
SSRF

📋 TL;DR

This CVE describes a server-side request forgery (SSRF) vulnerability in the WP Smart Import WordPress plugin version 1.0.0. Attackers can exploit the file field to make the server send unauthorized requests to internal systems, potentially accessing sensitive data or services. All WordPress sites using the vulnerable plugin version are affected.

💻 Affected Systems

Products:
  • WP Smart Import WordPress Plugin
Versions: 1.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the vulnerable plugin version installed and activated.

📦 What is this software?

Wp Smart Import by Xylusthemes

View all CVEs affecting Wp Smart Import →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data exfiltration, internal network reconnaissance, or lateral movement to other systems.

🟠

Likely Case

Unauthorized access to internal services, metadata harvesting, or limited data exposure from internal endpoints.

🟢

If Mitigated

Limited impact with proper network segmentation and egress filtering, potentially only error messages or timeout responses.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SSRF vulnerabilities are commonly exploited and weaponized due to their potential for internal network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1

Vendor Advisory: https://wordpress.org/plugins/wp-smart-import/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Smart Import. 4. Click 'Update Now' if available, or manually update to version 1.0.1. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wp-smart-import

Restrict File Uploads

all

Implement strict file upload validation and sanitization.

🧯 If You Can't Patch

  • Implement network egress filtering to restrict outbound requests from web servers
  • Deploy web application firewall (WAF) rules to detect and block SSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Smart Import version 1.0.0.

Check Version:

wp plugin list --name=wp-smart-import --field=version

Verify Fix Applied:

Confirm WP Smart Import plugin version is 1.0.1 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from web server to internal IPs
  • Multiple failed import attempts with suspicious file URLs

Network Indicators:

  • Web server making unexpected requests to internal services (metadata, database, etc.)

SIEM Query:

source="web_server_logs" AND (uri CONTAINS "/wp-content/plugins/wp-smart-import" OR user_agent CONTAINS "wp-smart-import") AND status_code=200

📊 Metadata

CVE ID: CVE-2020-24147
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-918
Published: July 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24147, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)