QT KenthaRadio < 2.0.2 & OnAir2 < 3.9.9.2 - Server-Side Request Forgery & Remote File Inclusion

9.8
Server-Side Request Forgery (SSRF)
CVE CVE-2021-24472
CVSS 9.8 (Critical)
Publicly Published June 28, 2021
Last Updated January 22, 2024
Researcher Andreas Klöbl

Description

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.

References

Share

Vulnerability Details for KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality

Software Type Plugin
Software Slug qt-kentharadio
Patched? Yes
Remediation Update to version 2.0.2, or a newer patched version
Affected Version
  • < 2.0.2
Patched Version
  • 2.0.2

1 other affected software package

Software Type Theme
Software Slug onair2
Patched? Yes
Remediation Update to version 3.9.9.2, or a newer patched version
Affected Version
  • < 3.9.9.2
Patched Version
  • 3.9.9.2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation