CVE-2024-23825 LOW

CVE-2024-23825: TablePress SSRF vulnerability due to insufficient filtering of cloud provider hosts

Vendor Tablepress
Product TablePress
Weakness CWE-918 · SSRF
Published January 30, 2024
Last update May 29, 2025

CVSS base score

3.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

TablePress is a table plugin for Wordpress. For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user. That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses. On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials. This vulnerability is fixed in 2.2.5.

Key dates

02Disclosure timeline

January 30, 2024 CVE published
May 29, 2025 Record updated