CVE-2024-9624 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WP All Import Pro plugin for WordPress, specifically in the pmxi_curl_download function. This function lacks adequate SSRF protections, enabling attackers with authenticated Administrator-level access to force the server to send HTTP requests to arbitrary destinations. SSRF vulnerabilities allow attackers to pivot from the compromised web application to internal network resources that are otherwise inaccessible externally. In this case, an attacker can query internal services, potentially extracting sensitive information or modifying internal data. On cloud environments such as AWS, Azure, or Google Cloud, this vulnerability could be leveraged to access instance metadata endpoints, which often contain credentials and configuration data that can lead to further compromise. The vulnerability affects all versions up to and including 4.9.3 of WP All Import Pro. Exploitation requires high privileges (Administrator or above) but does not require user interaction. The CVSS v3.1 base score is 7.6, reflecting high severity due to the potential for confidentiality breach and partial integrity impact. No public exploits have been reported yet, but the risk remains significant given the widespread use of WordPress and this plugin in particular. The vulnerability was published on December 17, 2024, and is tracked under CWE-918 (SSRF).

The primary impact of CVE-2024-9624 is on confidentiality, as attackers can use the SSRF flaw to access internal services and sensitive data not normally exposed externally. This includes the potential to read cloud instance metadata, which can contain credentials and other secrets, leading to privilege escalation and lateral movement within cloud environments. Integrity impact is moderate, as attackers might modify internal service data if those services accept such requests. Availability is not directly impacted. Organizations using WP All Import Pro on WordPress sites, especially those hosted on cloud platforms, face increased risk of internal network reconnaissance, data leakage, and potential further compromise. Given the requirement for administrator-level access, the vulnerability is most dangerous in environments where administrator credentials are weak, reused, or compromised. The widespread use of WordPress and this plugin means many organizations globally could be affected, particularly those relying on cloud infrastructure and internal APIs. The absence of public exploits reduces immediate risk but does not eliminate the threat, especially from targeted attackers.

To mitigate CVE-2024-9624, organizations should immediately update WP All Import Pro to a patched version once available. Until a patch is released, restrict administrator access to trusted users only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Implement network segmentation and firewall rules to limit the WordPress server's ability to make outbound HTTP requests to internal or sensitive endpoints. Monitor and log all outbound requests from the WordPress server to detect anomalous SSRF activity. Review and harden internal services to require authentication and validate requests to prevent unauthorized access or modification. On cloud platforms, restrict access to instance metadata services using platform-specific controls (e.g., AWS IMDSv2 enforcement). Additionally, conduct regular audits of administrator accounts and credentials to reduce the risk of compromise. Employ Web Application Firewalls (WAFs) with SSRF detection capabilities to block suspicious requests. Finally, educate administrators about the risks of SSRF and the importance of limiting plugin installations and updates to trusted sources.