CVE-2024-54385

HIGH NUCLEI

SoftLab Radio Player <2.0.82 - SSRF

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-54385. PoCs published by halilkirazkaya, RandomRobbieBF. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes HTTP requests or commands to exploit the respective vulnerabilities.

Description

Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.83.

Exploits (2)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2024/CVE-2024-54385.md

View Code ZIP pw:eip

This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes HTTP requests or commands to exploit the respective vulnerabilities.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Various (WordPress plugins, QNAP Photo Station, IBM Data Risk Manager, etc.)

No auth needed

Prerequisites: Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2024-54385

View Code ZIP pw:eip

This repository contains a proof-of-concept for CVE-2024-54385, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the Radio Player WordPress plugin. The PoC demonstrates how an attacker can send a crafted POST request to exploit the vulnerability and make arbitrary web requests from the server.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin <= 2.0.82

No auth needed

Prerequisites: Access to the target WordPress site with the vulnerable plugin installed

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Radio Player <= 2.0.82 - Server-Side Request Forgery

HIGHVERIFIEDby s4e-io

Shodan: http.html:"/wp-content/plugins/radio-player"

FOFA: body="/wp-content/plugins/radio-player"

References (2)

Core 2

Core References

Third Party Advisory

https://patchstack.com/database/wordpress/plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-82-server-side-request-forgery-ssrf-vulnerability?_s_id=cve

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-82-server-side-request-forgery-ssrf-vulnerability?_s_id=cve

Scores

CVSS v3 7.2

EPSS 0.0503

EPSS Percentile 91.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

princeahmed/Radio Player < 2.0.83

SoftLab/Radio Player < 2.0.82

Published Dec 16, 2024

Tracked Since Feb 18, 2026