Orbit Fox < 2.10.24 – Author+ Server-Side Request Forgery | CVE 2023-2287 | Plugin Vulnerabilities

Description

The plugin does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

Proof of Concept

1. Install the Log HTTP Requests plugin to inspect the requests being sent from the server-side.
2. Open a blog post in the block editor.
3. Click on the "MyStockPhotos" icon in the upper right to open the "MyStockPhotos" sidebar.
4. Hover over an image, click the button to "Add to Media Library", and intercept the request.
5. Change the URL in the `url` POST parameter to an arbitrary URL.
6. Forward the request, and check the HTTP Requests log. See that the server has sent a request to the URL that was chosen.

Affects Plugins

themeisle-companion

Fixed in 2.10.24

References

CVE

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

1b36a184-2138-4a65-8940-07e7764669bb

Timeline

Publicly Published

2023-05-02 (about 2 years ago)

Added

2023-05-02 (about 2 years ago)

Last Updated

2023-05-02 (about 2 years ago)

Other

Published

Title

Published

2025-09-26

Title

Silencesoft RSS Reader <= 0.6 - Unauthenticated Server-Side Request Forgery

Published

2021-09-21

Title

Telefication <= 1.8.0 - Open Relay & Server-Side Request Forgery

Published

2025-09-30

Title

Block For Mailchimp – Easy Mailchimp Form Integration < 1.1.13 - Unauthenticated Blind Server-Side Request Forgery

Published

2014-08-01

Title

WordPress 1.5.1-3.5 - XML-RPC Pingback API Internal/External Port Scanning

Published

2025-12-18

Title

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player 2.4.0 - 2.5.1 - Unauthenticated Server-Side Request Forgery