CVE-2024-12237 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, present in the nik00726 Photo Gallery Slideshow & Masonry Tiled Gallery WordPress plugin. The vulnerability exists in all versions up to and including 1.0.15, specifically within the function rjg_get_youtube_info_justified_gallery_callback. This function improperly handles user input, allowing authenticated users with Subscriber-level privileges or higher to induce the server to make HTTP requests to arbitrary destinations. SSRF vulnerabilities enable attackers to leverage the server as a proxy to access internal or protected network resources that are otherwise inaccessible externally. Although the attacker must be authenticated, the low privilege requirement (Subscriber role) increases the attack surface, as this role is commonly assigned to registered users or commenters on WordPress sites. The vulnerability does not require additional user interaction beyond authentication and does not impact integrity or availability directly but can lead to limited confidentiality breaches by exposing internal service information. The CVSS v3.1 base score is 4.3 (medium severity), reflecting network attack vector, low attack complexity, and low privileges required. No public exploits or patches are currently available, emphasizing the need for proactive mitigation. The plugin’s widespread use in WordPress ecosystems makes this a relevant threat for many organizations relying on this plugin for gallery functionality.

The primary impact of CVE-2024-12237 is the potential exposure of internal network resources and sensitive information through SSRF exploitation. Attackers with minimal privileges can leverage the vulnerability to send arbitrary requests from the server, potentially accessing internal APIs, metadata services, or other protected endpoints. This can lead to reconnaissance that facilitates further attacks such as privilege escalation, lateral movement, or data exfiltration. While the vulnerability does not directly compromise data integrity or availability, the confidentiality impact can be significant depending on the internal services exposed. Organizations running WordPress sites with this plugin may face increased risk of internal network exposure, especially if internal services lack proper segmentation or authentication. The medium severity score reflects the limited scope of impact and the requirement for authenticated access, but the ease of exploitation by low-privilege users increases the threat level. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation. Overall, this vulnerability can undermine trust in affected websites and expose sensitive infrastructure details to attackers.

To mitigate CVE-2024-12237, organizations should first restrict plugin usage to trusted administrators and avoid granting Subscriber or higher roles to untrusted users. Implement strict user role management and limit authentication to verified users only. Network segmentation and firewall rules should be applied to restrict outbound HTTP requests from the web server to only necessary destinations, preventing SSRF exploitation from reaching internal services. Monitoring and logging of outbound requests can help detect suspicious activity indicative of SSRF attempts. Since no official patch is currently available, consider temporarily disabling or removing the vulnerable plugin until a fix is released. Alternatively, review and modify the plugin code to sanitize and validate inputs in the rjg_get_youtube_info_justified_gallery_callback function, preventing arbitrary URL requests. Employ Web Application Firewalls (WAFs) with SSRF detection capabilities to block malicious requests. Finally, keep WordPress core and all plugins updated regularly and subscribe to vendor security advisories for timely patching.