WordPress Plugin Vulnerabilities

JSM file_get_contents() Shortcode < 2.7.1 - Contributor+ SSRF

Description

The plugin does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.

Proof of Concept

Affects Plugins

Plugin icon
wp-file-get-contents
Fixed in 2.7.1

References

CVE
CVE-2023-6991

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
0b92becb-8a47-48fd-82e8-f7641cf5c9bc

Timeline

Publicly Published
2023-12-21 (about 2 years ago)
Added
2023-12-21 (about 2 years ago)
Last Updated
2023-12-21 (about 2 years ago)

Other

Published
Title
Published
2025-10-24
Title
Slider Templates <= 1.0.3 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-11-18
Title
Responsive Lightbox & Gallery < 2.5.4 - Authenticated (Author+) Server-Side Request Forgery
Published
2024-12-12
Title
Radio Player < 2.0.85 - Unauthenticated Server-Side Request Forgery
Published
2024-03-26
Title
Gutenberg Blocks with AI by Kadence WP – Page Builder Features < 3.2.20 - Contributor+ Server-Side Request Forgery
Published
2014-08-01
Title
WordPress 1.5.1-3.5 - XML-RPC Pingback Additional Issues