CVE-2024-13411: 
WordPress vulnerability analysis and mitigation

The Zapier for WordPress plugin is affected by a Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 1.5.1. The vulnerability was discovered in the updated_user() function and was patched in version 1.5.2, released on March 18, 2025 (WordPress Plugin, NVD).

The vulnerability exists in the updated_user() function where authenticated attackers with Subscriber-level access or higher can make web requests to arbitrary locations originating from the web application. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-918 (Server-Side Request Forgery) (NVD).

The SSRF vulnerability allows authenticated attackers to query and modify information from internal services by making web requests to arbitrary locations through the web application. This could potentially expose sensitive internal services and data to unauthorized access (NVD).

The vulnerability has been patched in version 1.5.2 of the Zapier for WordPress plugin. The fix includes implementing URL validation and using wp_safe_remote_post for secure requests. Users are advised to update to version 1.5.2 or later to protect against this vulnerability (WordPress Plugin, Plugin Changeset).