CVE-2024-13618
📋 TL;DR
The aoa-downloadable WordPress plugin through version 0.1.0 has an authentication bypass vulnerability in its download.php endpoint. This allows unauthenticated attackers to make arbitrary URL requests through the vulnerable WordPress site, potentially leading to server-side request forgery (SSRF) attacks. Any WordPress site using this plugin is affected.
💻 Affected Systems
- aoa-downloadable WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the vulnerable endpoint as a proxy to scan internal networks, access internal services, or perform SSRF attacks against other systems. This could lead to data exfiltration, internal service compromise, or lateral movement within the network.
Likely Case
Attackers will use the vulnerability to scan internal networks, access metadata services (like AWS/Azure instance metadata), or perform port scanning through the vulnerable WordPress server. This could expose internal infrastructure details and potentially lead to further attacks.
If Mitigated
With proper network segmentation and egress filtering, the impact is limited to the WordPress server itself acting as a proxy for external requests, potentially exposing server metadata or making external requests on behalf of attackers.
🎯 Exploit Status
Exploitation requires no authentication and can be performed with simple HTTP requests to the download.php endpoint with URL parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 0.1.0 (check plugin repository for latest)
Vendor Advisory: https://wpscan.com/vulnerability/d6a78233-3f23-4da4-9bc0-1439cde20a30/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'aoa-downloadable' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable plugin
WordPressDeactivate and remove the vulnerable plugin from WordPress
wp plugin deactivate aoa-downloadable
wp plugin delete aoa-downloadable
Block access to download.php
allUse web server configuration to block access to the vulnerable endpoint
# Apache: <Location /wp-content/plugins/aoa-downloadable/download.php>\n Order deny,allow\n Deny from all\n</Location>
# Nginx: location ~ /wp-content/plugins/aoa-downloadable/download\.php {\n deny all;\n return 403;\n}
🧯 If You Can't Patch
- Immediately deactivate and remove the aoa-downloadable plugin from all WordPress installations
- Implement network egress filtering to restrict outbound connections from web servers to only necessary destinations
🔍 How to Verify
Check if Vulnerable:
Check if the plugin is installed and active in WordPress admin panel under Plugins → Installed Plugins. Look for 'aoa-downloadable' plugin with version 0.1.0 or earlier.Check Version:
wp plugin get aoa-downloadable --field=versionVerify Fix Applied:
After update, verify plugin version is greater than 0.1.0. Test by attempting to access /wp-content/plugins/aoa-downloadable/download.php?url=http://example.com - should return 403 or not be accessible.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/aoa-downloadable/download.php with URL parameters
- Unusual outbound connections from web server to internal or external IPs following download.php requests
- Multiple failed authentication attempts followed by download.php access
Network Indicators:
- Unusual traffic patterns from web server to internal network segments
- Web server making requests to cloud metadata services (169.254.169.254, 169.254.170.2)
- Port scanning activity originating from web server IP
SIEM Query:
source="web_server_logs" AND uri="/wp-content/plugins/aoa-downloadable/download.php" AND query_string="*url=*"