CVE-2024-6584
📋 TL;DR
This vulnerability in WordPress allows administrators to make arbitrary GET requests to any URL through the 'wp_ajax_boost_proxy_ig' action. It enables server-side request forgery (SSRF) attacks, potentially exposing internal services or performing unauthorized actions. All WordPress sites with the vulnerable component are affected.
💻 Affected Systems
- WordPress
📦 What is this software?
Jetpack Boost by Automattic
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the vulnerable endpoint to access internal services, exfiltrate sensitive data, or chain with other vulnerabilities to achieve remote code execution.
Likely Case
Attackers would use this to scan internal networks, access metadata services (like AWS/Azure instance metadata), or interact with internal APIs that shouldn't be exposed.
If Mitigated
With proper network segmentation and firewall rules, the impact would be limited to accessing only allowed external resources.
🎯 Exploit Status
Exploitation requires administrator-level access. The vulnerability is publicly documented with proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check plugin/component vendor for specific version
Vendor Advisory: https://wpscan.com/vulnerability/eaa57c8c-1cac-4903-9763-79f7f84469fa/
Restart Required: No
Instructions:
1. Identify the vulnerable WordPress plugin/component. 2. Update to the latest patched version from the official repository. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allRemove or disable the 'wp_ajax_boost_proxy_ig' action handler
Edit WordPress theme/plugin files to remove add_action('wp_ajax_boost_proxy_ig', ...) calls
Restrict administrator access
allLimit administrator accounts to only trusted users and implement strong authentication
🧯 If You Can't Patch
- Implement network segmentation to isolate WordPress from internal services
- Deploy web application firewall (WAF) rules to block SSRF patterns
🔍 How to Verify
Check if Vulnerable:
Check if the 'wp_ajax_boost_proxy_ig' action exists in your WordPress installation by reviewing plugin/theme codeCheck Version:
Check WordPress admin dashboard or use wp-cli: wp plugin list --field=versionVerify Fix Applied:
After updating, test that the vulnerable endpoint no longer accepts arbitrary URLs📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests from WordPress to internal IPs
- Requests to metadata services (169.254.169.254, 169.254.170.2)
- Multiple rapid requests to different internal endpoints
Network Indicators:
- WordPress server making unexpected outbound connections to internal networks
- Traffic patterns suggesting internal network scanning
SIEM Query:
source="wordpress" AND (url="*wp-admin/admin-ajax.php*" AND action="boost_proxy_ig")