Critical severity9.6NVD Advisory· Published Oct 28, 2022· Updated Apr 8, 2026
CVE-2022-3708
CVE-2022-3708
Description
The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/GoogleForCreators/web-stories-wp/commit/3ad2099f95155d658624ffac2e34ce0da739e34bnvdPatchThird Party Advisory
- github.com/GoogleForCreators/web-stories-wp/compare/v1.24.0...v1.25.0nvdPatchRelease NotesThird Party Advisory
- wordpress.org/plugins/web-storiesnvdProductRelease NotesThird Party Advisory
- www.wordfence.com/threat-intel/vulnerabilities/id/7817a840-325a-4709-8374-84bb32d98d0envdThird Party Advisory
- www.wordfence.com/vulnerability-advisories-continued/nvdThird Party Advisory
News mentions
0No linked articles in our index yet.