CVE-2024-13360 is a Server-Side Request Forgery (SSRF) vulnerability identified in the AI Power: Complete AI Pack plugin for WordPress, affecting all versions up to and including 1.8.96. The vulnerability resides in the wpaicg_troubleshoot_add_vector() function, which allows authenticated users with subscriber-level privileges or higher to induce the server to send HTTP requests to arbitrary URLs. SSRF vulnerabilities enable attackers to leverage the server as a proxy to access internal or protected network resources that are not directly reachable from the outside. In this case, an attacker can query or potentially modify information on internal services by crafting specific requests through the vulnerable function. The vulnerability requires authentication but no additional user interaction, and the attack complexity is low. The CVSS v3.1 base score of 5.4 reflects a medium severity rating, with the vector indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and limited confidentiality and integrity impacts. No public exploits have been reported yet, but the vulnerability poses a risk of internal network reconnaissance and data leakage if exploited. The plugin is used in WordPress environments, which are widely deployed globally, making the vulnerability relevant to many organizations that rely on this plugin for AI-powered features. The lack of an official patch at the time of reporting necessitates immediate mitigation steps to reduce exposure.

The primary impact of this SSRF vulnerability is the potential unauthorized access to internal network resources that are normally inaccessible from external networks. Attackers with subscriber-level access can exploit this flaw to perform internal reconnaissance, potentially discovering sensitive services, databases, or metadata endpoints. This can lead to further exploitation such as data exfiltration, unauthorized modification of internal services, or pivoting attacks within the network. Although the vulnerability does not directly allow remote code execution or denial of service, the ability to query and modify internal services can compromise confidentiality and integrity of sensitive data. Organizations using the affected plugin risk exposure of internal infrastructure details and sensitive information, which could facilitate more advanced attacks. The medium CVSS score reflects moderate risk, but the impact can be significant in environments where internal services contain critical or sensitive data. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with weak user access controls or compromised credentials.

1. Restrict access to the AI Power: Complete AI Pack plugin features, especially the wpaicg_troubleshoot_add_vector() function, to trusted users only, minimizing the number of accounts with subscriber-level or higher privileges. 2. Implement strict user access controls and monitor for unusual authenticated activity that could indicate exploitation attempts. 3. Use Web Application Firewalls (WAFs) to detect and block suspicious SSRF patterns or anomalous internal requests originating from the web server. 4. Monitor internal network logs and HTTP request logs for unexpected outbound requests to internal services that could indicate SSRF exploitation. 5. Disable or limit the plugin functionality if possible until an official patch or update is released by the vendor. 6. Keep WordPress core and all plugins updated regularly, and apply security patches promptly once available for this vulnerability. 7. Conduct internal network segmentation to limit the exposure of sensitive internal services to the web server. 8. Educate users about the risks of privilege escalation and enforce strong authentication mechanisms to reduce the risk of compromised accounts.