Vulnerabilities and security researches forwpgetapi wpgetapi

Mar 08, 2025

CVE, Research URL: CVE-2024-13857
Home page URL: Security reports for Connect to external APIs – WPGetAPI
Application: Connect to external APIs – WPGetAPI
Date: Mar 07, 2025
Research Description: The WPGet API – Connect to any external REST API plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Affected versions: max 2.25.1.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: 89d2b0cb158117bdc01ff2aa0f0b5a2b8217df1c
Home page URL: Security reports for Connect to external APIs – WPGetAPI
Application: Connect to external APIs – WPGetAPI
Date: Oct 02, 2023
Research Description: WPGet API – Connect to any external REST API [wpgetapi] < 2.2.2 WPGetAPI 2.1.0 - 2.2.1 - Authenticated (Subscriber+) Arbitrary Options Update The WPGetAPI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_endpoints() function in versions 2.1.0 - 2.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options which can be leveraged for privilege escalation.
Affected versions: Min 2.1.0, max 2.2.2.
Status: vulnerable