CVE-2024-13907

CVE Database · CVE-2024-13907

CVE-2024-13907

· MEDIUMAnalyzed

CVSS v3.1

4.9

EPSS

0.43%

Published

Feb 27, 2025

Modified

Mar 11, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.16.8 via the 'download' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-918

Affected Products (1)

boldgrid · total_upkeep (up to 1.16.9)vulnerable

References (3)

https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/includes/class-boldgrid-backup-archive-fetcher.php#L141

Product

https://plugins.trac.wordpress.org/changeset/3246655/

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/21da92d2-c38d-4a12-b850-bd0b580aaa54?source=cve

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs