Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 – Unauthenticated RFI and SSRF | CVE 2021-24472

Description

The theme and plugin have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.

Proof of Concept

https://demo.pro.radio/wp1/home-18/?qtproxycall=https://raw.githubusercontent.com/wpscanteam/wpscan/master/README.md

Affects Plugins

qt-kentharadio

Fixed in 2.0.2

Affects Themes

onair2

Fixed in 3.9.9.2

References

CVE

CVE-2021-24472

Classification

Type

RFI

OWASP top 10

A1: Injection

CWE

CWE-98

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Andreas Klöbl

Submitter

Andreas Klöbl

Submitter website

https://www.sec-research.com

Submitter twitter

_sec_research

Verified

Yes

WPVDB ID

17591ac5-88fa-4cae-a61a-4dcf5dc0b72a

Timeline

Publicly Published

2021-06-28 (about 2 years ago)

Added

2021-06-28 (about 2 years ago)

Last Updated

2021-08-10 (about 2 years ago)

Other

Published

Title

Published

2024-05-08

Title

Porto Theme - Functionality < 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta

Published

2024-04-25

Title

ElementsKit Pro < 3.6.1 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets

Published

2014-08-01

Title

plugin wordTube <= 1.43 - (wpPATH) RFI

Published

2024-04-03

Title

Rehub < 19.6.2 - Authenticated (Editor+) Local File Inclusion

Published

2024-05-08

Title

Porto < 7.1.1 - Authenticated (Contributor+) Local File Inclusion via Post Meta