WordPress Plugin Vulnerabilities

Orbit Fox < 2.10.24 - Author+ Server-Side Request Forgery

Description

The plugin does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

Proof of Concept

1. Install the Log HTTP Requests plugin to inspect the requests being sent from the server-side.
2. Open a blog post in the block editor.
3. Click on the "MyStockPhotos" icon in the upper right to open the "MyStockPhotos" sidebar.
4. Hover over an image, click the button to "Add to Media Library", and intercept the request.
5. Change the URL in the `url` POST parameter to an arbitrary URL.
6. Forward the request, and check the HTTP Requests log. See that the server has sent a request to the URL that was chosen.

Affects Plugins

Plugin icon
themeisle-companion
Fixed in 2.10.24

References

CVE
CVE-2023-2287

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
1b36a184-2138-4a65-8940-07e7764669bb

Timeline

Publicly Published
2023-05-02 (about 1 years ago)
Added
2023-05-02 (about 1 years ago)
Last Updated
2023-05-02 (about 1 years ago)

Other

Published
Title
Published
2022-10-21
Title
Better Messages < 1.9.10.69 - Subscriber+ SSRF
Published
2024-02-27
Title
Seraphinite Accelerator < 2.21 - Authenticated (Subscriber+) Server-Side Request Forgery in OnAdminApi_HtmlCheck
Published
2023-09-11
Title
Crayon Syntax Highlighter <= 2.8.4 - Contributor+ Server Side Request Forgery
Published
2024-04-25
Title
Radio Player < 2.0.74 - Unauthenticated Server-Side Request Forgery
Published
2023-06-06
Title
Getwid < 1.8.4 - Subscriber+ SSRF