CVE-2024-13856
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to perform Server-Side Request Forgery (SSRF) attacks through the Make Builder plugin. Attackers can make arbitrary web requests from the vulnerable server, potentially accessing internal services and sensitive information. All WordPress sites using Make Builder plugin versions up to 1.1.10 are affected.
💻 Affected Systems
- WordPress Make Builder plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data from internal networks, perform port scanning, or attack other internal systems using the vulnerable server as a proxy.
Likely Case
Attackers with subscriber accounts could probe internal networks, access metadata services (like AWS/Azure instance metadata), or interact with internal APIs to gather information.
If Mitigated
With proper network segmentation and egress filtering, impact would be limited to the web server's network segment only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker obtains subscriber credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.11 or later
Vendor Advisory: https://wordpress.org/plugins/make-builder/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Your Friendly Drag and Drop Page Builder — Make Builder'. 4. Click 'Update Now' if available, or manually update to version 1.1.11+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Make Builder plugin until patched
wp plugin deactivate make-builder
Restrict user registration
allDisable new user registration to prevent attacker account creation
wp option update users_can_register 0
🧯 If You Can't Patch
- Implement network egress filtering to restrict outbound connections from web servers
- Apply WordPress user role restrictions and audit subscriber-level accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins, find Make Builder and verify version is 1.1.10 or lowerCheck Version:
wp plugin get make-builder --field=versionVerify Fix Applied:
Confirm Make Builder plugin version is 1.1.11 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IPs
- Multiple failed authentication attempts followed by successful subscriber login
Network Indicators:
- Web server making unexpected HTTP requests to internal services
- Traffic from web server to metadata services (169.254.169.254, etc.)
SIEM Query:
source="wordpress.log" AND ("make_builder_ajax_subscribe" OR "POST /wp-admin/admin-ajax.php") AND (destination_ip IN [internal_ranges] OR user_agent="curl" OR user_agent="wget")🔗 References
- https://plugins.trac.wordpress.org/browser/make-builder/trunk/plugins-screen.php#L83
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3259333%40make-builder%2Ftrunk&old=2235851%40make-builder%2Ftrunk&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/make-builder/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffcb74b-230b-4629-b22d-5db96ac5fa06?source=cve
