CVE-2024-4354: CWE-918 Server-Side Request Forgery (SSRF) in tobiasbg TablePress – Tables in WordPress made easy
The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3 via the get_files_to_import() function. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Due to the complex nature of protecting against DNS rebind attacks in WordPress software, we settled on the developer simply restricting the usage of the URL import functionality to just administrators. While this is not optimal, we feel this poses a minimal risk to most site owners and ideally WordPress core would correct this issue in wp_safe_remote_get() and other functions.
AI Analysis
Technical Summary
CVE-2024-4354 is a Server-Side Request Forgery vulnerability in the TablePress – Tables in WordPress made easy plugin affecting all versions up to 2.3. The flaw exists in the get_files_to_import() function, allowing authenticated users with author-level privileges or higher to cause the server to make arbitrary HTTP requests. This can be leveraged to interact with internal services that are otherwise inaccessible externally. The developer's mitigation involves restricting the URL import functionality to administrators, acknowledging that a complete fix is complicated by DNS rebinding protections in WordPress core functions such as wp_safe_remote_get(). No official patch is currently available.
Potential Impact
An attacker with author-level or higher access can exploit this SSRF vulnerability to make the server send arbitrary HTTP requests, potentially exposing or modifying data from internal services. The impact includes limited confidentiality and integrity loss but no availability impact. The vulnerability could be used to bypass network restrictions within the hosting environment. However, the risk is somewhat mitigated by restricting the vulnerable functionality to administrators only.
Mitigation Recommendations
Currently, the developer has restricted the URL import feature to administrators to reduce exposure. There is no official patch available at this time. Site owners should ensure that only trusted administrators have access to this functionality. Monitor vendor advisories for updates or official fixes. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2024-4354: CWE-918 Server-Side Request Forgery (SSRF) in tobiasbg TablePress – Tables in WordPress made easy
Description
The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3 via the get_files_to_import() function. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Due to the complex nature of protecting against DNS rebind attacks in WordPress software, we settled on the developer simply restricting the usage of the URL import functionality to just administrators. While this is not optimal, we feel this poses a minimal risk to most site owners and ideally WordPress core would correct this issue in wp_safe_remote_get() and other functions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-4354 is a Server-Side Request Forgery vulnerability in the TablePress – Tables in WordPress made easy plugin affecting all versions up to 2.3. The flaw exists in the get_files_to_import() function, allowing authenticated users with author-level privileges or higher to cause the server to make arbitrary HTTP requests. This can be leveraged to interact with internal services that are otherwise inaccessible externally. The developer's mitigation involves restricting the URL import functionality to administrators, acknowledging that a complete fix is complicated by DNS rebinding protections in WordPress core functions such as wp_safe_remote_get(). No official patch is currently available.
Potential Impact
An attacker with author-level or higher access can exploit this SSRF vulnerability to make the server send arbitrary HTTP requests, potentially exposing or modifying data from internal services. The impact includes limited confidentiality and integrity loss but no availability impact. The vulnerability could be used to bypass network restrictions within the hosting environment. However, the risk is somewhat mitigated by restricting the vulnerable functionality to administrators only.
Mitigation Recommendations
Currently, the developer has restricted the URL import feature to administrators to reduce exposure. There is no official patch available at this time. Site owners should ensure that only trusted administrators have access to this functionality. Monitor vendor advisories for updates or official fixes. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-04-30T17:18:11.555Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b88b7ef31ef0b556581
Added to database: 2/25/2026, 9:37:12 PM
Last enriched: 4/9/2026, 2:31:48 PM
Last updated: 4/12/2026, 9:29:58 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.