CVE-2024-13360 in AI Power Plugin
Summary
by MITRE • 01/22/2025
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2025
The AI Power: Complete AI Pack plugin for WordPress represents a significant security vulnerability identified as CVE-2024-13360, affecting all versions up to and including 1.8.96. This vulnerability manifests as a Server-Side Request Forgery (SSRF) flaw within the wpaicg_troubleshoot_add_vector() function, creating a critical pathway for malicious actors to exploit the plugin's functionality. The vulnerability's severity is amplified by its accessibility to authenticated users with subscriber-level permissions or higher, making it particularly dangerous in environments where user access control is not strictly enforced.
The technical implementation of this SSRF vulnerability occurs through improper input validation within the plugin's troubleshooting vector handling mechanism. When authenticated users interact with the plugin's functionality, the wpaicg_troubleshoot_add_vector() function fails to adequately sanitize or validate external input parameters, allowing attackers to inject malicious URLs or network addresses. This flaw enables the web application to make unauthorized requests to internal services that would normally be protected by network segmentation, effectively bypassing traditional firewall and network security controls. The vulnerability operates at the application layer, making it particularly stealthy as it appears to be legitimate traffic originating from the compromised WordPress installation.
The operational impact of this vulnerability extends beyond simple data exfiltration, as authenticated attackers can leverage the SSRF to perform reconnaissance of internal network services, potentially gaining access to sensitive information stored on internal servers. Attackers can use this vulnerability to query internal APIs, access databases, or even manipulate internal services that are not directly exposed to the internet. The implications are particularly severe in enterprise environments where WordPress installations may have access to internal resources such as LDAP servers, database systems, or other critical infrastructure components. This vulnerability directly aligns with CWE-918, which describes Server-Side Request Forgery vulnerabilities, and can be mapped to ATT&CK technique T1071.004 for application layer protocol usage and T1566 for phishing with a malicious link, as attackers may use this vulnerability to expand their attack surface.
Mitigation strategies for CVE-2024-13360 should prioritize immediate plugin updates to the latest available version where the vulnerability has been patched. Organizations should implement network segmentation to limit the exposure of internal services to WordPress installations and establish strict outbound firewall rules to prevent unauthorized external communications from the web server. Additionally, implementing proper input validation and sanitization within the plugin's codebase is essential, along with conducting regular security audits of third-party plugins to identify similar vulnerabilities. Access control measures should be reinforced to limit user privileges, ensuring that only trusted administrators have access to potentially dangerous plugin functionalities. The vulnerability's classification as an SSRF flaw makes it particularly important to monitor network traffic for suspicious outbound requests and implement web application firewalls that can detect and block such malicious patterns.