Home > Vulnerability Database > CVE-2022-3708

Mend.io Vulnerability Database

CVE-2022-3708

Good to know:

Date: October 28, 2022

The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Language: PHP

Severity Score

8.1

Related Resources (7)

Url: https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3708

Url: https://github.com/GoogleForCreators/web-stories-wp/compare/v1.24.0...v1.25.0

Url: https://wordpress.org/plugins/web-stories

Url: https://www.wordfence.com/threat-intel/vulnerabilities/id/7817a840-325a-4709-8374-84bb32d98d0e?source=cve

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-3708

Url: https://github.com/GoogleForCreators/web-stories-wp/commit/3ad2099f95155d658624ffac2e34ce0da739e34b

Url: https://www.mend.io/vulnerability-database/CVE-2022-3708

Severity Score

8.1

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version v1.25.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-3708

Good to know:

Date: October 28, 2022

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?