CVE-2024-1978: 
WordPress vulnerability analysis and mitigation

The Friends plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-1978) affecting all versions up to and including 2.8.5. The vulnerability exists in the discoveravailablefeeds function, which allows authenticated attackers with administrator-level access or higher to make web requests to arbitrary locations originating from the web application (NVD).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) issue with a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is tracked under CWE-918 (Server-Side Request Forgery) and affects the discoveravailablefeeds function in the Friends WordPress plugin (NVD).

When exploited, this vulnerability allows attackers with administrator-level privileges to query and modify information from internal services by making web requests to arbitrary locations through the web application (NVD).

Users should upgrade to version 2.8.6 or later of the Friends WordPress plugin which contains the fix for this vulnerability. The fix has been implemented through a pull request that improves friend URL validation before attempting to discover feeds (GitHub PR).