CVE-2024-13924: Starter Templates by FancyWP <= 2.0.0 - Unauthenticated Blind Server-Side Request Forgery
First published: Sat Mar 08 2025(Updated: )
The Starter Templates by FancyWP plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.0.0 via the 'http_request_host_is_external' filter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FancyWP Starter Templates | <=2.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-13924?
CVE-2024-13924 has been classified as a medium severity vulnerability due to its potential for blind server-side request forgery.
How do I fix CVE-2024-13924?
To fix CVE-2024-13924, you should update the FancyWP Starter Templates plugin to version 2.0.1 or higher.
Who is affected by CVE-2024-13924?
Any WordPress user running FancyWP Starter Templates plugin version 2.0.0 or lower is affected by CVE-2024-13924.
What type of vulnerability is CVE-2024-13924?
CVE-2024-13924 is identified as a Blind Server-Side Request Forgery vulnerability.
Can unauthenticated users exploit CVE-2024-13924?
Yes, unauthenticated attackers can exploit CVE-2024-13924 to make web requests to arbitrary domains.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/description
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/source
- agent/severity
- agent/tags
- agent/event
- vendor/fancywp
- canonical/fancywp starter templates