CVE-2024-4354 – The TablePress WordPress plugin is vulnerable t... (How to Fix)

Q: What is the severity of CVE-2024-4354?

CVE-2024-4354 has a CVSS score of 6.4 (MEDIUM). The TablePress WordPress plugin is vulnerable to Server-Side Request Forgery (SSRF) that allows authenticated attackers with author-level access or higher to make arbitrary web requests from the vulnerable server. This can be used to query and modify internal services, potentially exposing sensitive data or enabling further attacks. The vulnerability affects all versions up to and including 2.3.

📋 TL;DR

The TablePress WordPress plugin is vulnerable to Server-Side Request Forgery (SSRF) that allows authenticated attackers with author-level access or higher to make arbitrary web requests from the vulnerable server. This can be used to query and modify internal services, potentially exposing sensitive data or enabling further attacks. The vulnerability affects all versions up to and including 2.3.

💻 Affected Systems

Products:

TablePress – Tables in WordPress made easy

Versions: All versions up to and including 2.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with TablePress plugin and at least one user with author-level privileges.

📦 What is this software?

Tablepress by Tablepress

View all CVEs affecting Tablepress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data from internal networks, perform port scanning, or chain with other vulnerabilities to achieve remote code execution.

🟠

Likely Case

Attackers with compromised author accounts could probe internal networks, access metadata services (like AWS/Azure instance metadata), or interact with internal APIs to steal data.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to the web server's network perspective and accessible internal services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access (author role or higher). Technical details and proof-of-concept are publicly available in the references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.3

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3097113%40tablepress&new=3097113%40tablepress&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find TablePress and click 'Update Now'. 4. Alternatively, download latest version from WordPress plugin repository and manually replace plugin files.

🔧 Temporary Workarounds

Restrict URL Import to Administrators

all

Modify plugin code to restrict the vulnerable import functionality to administrator roles only as an interim measure.

Edit wp-content/plugins/tablepress/classes/class-import.php and add role checks before line 125

Remove Author Role Access

all

Temporarily downgrade or remove author-level users until patching is complete.

In WordPress admin: Users → All Users → Edit user → Role → Change to Subscriber

🧯 If You Can't Patch

Disable the TablePress plugin completely until patching is possible
Implement network-level restrictions to block outbound HTTP requests from the web server to internal networks

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → TablePress → Version. If version is 2.3 or lower, you are vulnerable.

Check Version:

wp plugin list --name=tablepress --field=version (if WP-CLI is installed)

Verify Fix Applied:

After updating, verify TablePress version is higher than 2.3 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests from web server to internal IP addresses
Multiple failed import attempts in TablePress logs
Requests to metadata services (169.254.169.254, 100.100.100.200)

Network Indicators:

Web server making outbound requests to internal IP ranges
Requests to known metadata endpoints from web server IP

SIEM Query:

source="web_server_logs" AND (uri CONTAINS "/wp-admin/admin-ajax.php" OR uri CONTAINS "tablepress") AND (dst_ip IN private_ranges OR dst_ip=169.254.169.254 OR dst_ip=100.100.100.200)

📊 Metadata

CVE ID: CVE-2024-4354

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-918

Published: June 7, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4354, you might also want to check these: