CVE-2020-24142: 
WordPress vulnerability analysis and mitigation

Server-side request forgery (SSRF) vulnerability was discovered in the Video Downloader for TikTok (aka downloader-tiktok) WordPress plugin version 1.3. The vulnerability was assigned CVE-2020-24142 and was publicly disclosed on April 13, 2021. The affected plugin allows attackers to send crafted requests from the back-end server of a vulnerable web application through the njt-tk-download-video parameter (MITRE CVE, WPScan).

The vulnerability stems from improper sanitization of the njt-tk-download-video parameter in the plugin's code. It received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability enables attackers to identify open ports, local network hosts, and execute commands on services through the compromised server. This could potentially lead to unauthorized access to internal systems and sensitive information (MITRE CVE).

The vulnerability was fixed in version 1.4 of the Video Downloader for TikTok plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).