CVE-2024-13838
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to perform Server-Side Request Forgery (SSRF) attacks through the Uncanny Automator plugin. Attackers can make arbitrary web requests from the vulnerable server, potentially accessing internal services and sensitive information. Only WordPress sites with the vulnerable plugin installed and administrator accounts are affected.
💻 Affected Systems
- Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress
📦 What is this software?
Uncanny Automator by Uncannyowl
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, perform port scanning of internal networks, or chain with other vulnerabilities to achieve remote code execution.
Likely Case
Information disclosure from internal services, reconnaissance of internal network infrastructure, or limited data exfiltration from accessible internal endpoints.
If Mitigated
Limited impact if network segmentation restricts internal service access and proper authentication controls are in place.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once authenticated. The vulnerability is in the 'call_webhook' method which accepts arbitrary URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3249921/uncanny-automator/trunk/src/core/lib/webhooks/class-automator-send-webhook.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Uncanny Automator. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Uncanny Automator Plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate uncanny-automator
Restrict Administrator Access
allImplement strict access controls and review administrator accounts.
🧯 If You Can't Patch
- Implement network segmentation to restrict the WordPress server from accessing internal services
- Deploy web application firewall (WAF) rules to block SSRF attempts and monitor for suspicious outbound requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Uncanny Automator → Version. If version is 6.2 or lower, you are vulnerable.Check Version:
wp plugin get uncanny-automator --field=versionVerify Fix Applied:
Verify Uncanny Automator plugin version is 6.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from WordPress server to internal IP addresses
- Multiple webhook calls to non-standard domains from administrator accounts
Network Indicators:
- HTTP requests from WordPress server to internal services (RFC1918 addresses)
- Unexpected outbound traffic patterns from web server
SIEM Query:
source="wordpress.log" AND ("call_webhook" OR "webhook" AND "internal")