CVE-2024-13879: Stream <= 4.0.2 - Authenticated (Admin+) Server-Side Request Forgery

Medium (5.5)

Description

The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

Classification

CVE ID: CVE-2024-13879

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Affected Products

Vendor: xwp

Product: Stream

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 0.24596 (how common is this exploit)

EPSS Date: 2025-03-13 (when was this score calculated)

Timeline

2025-02-18 00:30:16 UTC
CVE

Stream <= 4.0.2 - Authenticated (Admin+) Server-Side Request Forgery