WP Ultimate CSV Importer < 6.5.3 – Admin+ Blind SSRF | CVE 2022-1977 | Plugin Vulnerabilities

Description

The plugin does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks

Proof of Concept

Put an internal/LAN URL such as below in the file upload by URL function

https://127.0.0.1:8080
http://192.168.0.224:8181/?u=https://docs.google.com/

Affects Plugins

wp-ultimate-csv-importer

Fixed in 6.5.3

References

CVE

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Luan Pedersini

Submitter

IBLISS Digital Security

Submitter website

https://ibliss.com.br

Verified

Yes

WPVDB ID

1b640519-75e1-48cb-944e-b9bff9de6d3d

Timeline

Publicly Published

2022-06-02 (about 3 years ago)

Added

2022-06-02 (about 3 years ago)

Last Updated

2023-03-05 (about 2 years ago)

Other

Published

Title

Published

2025-01-23

Title

Activity Plus Reloaded for BuddyPress < 1.1.2 - Authenticated (Subscriber+) Blind Server-Side Request Forgery

Published

2025-06-12

Title

ProfileGrid < 5.9.5.3 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2025-09-26

Title

ZoloBlocks < 2.3.12 - Unauthenticated Sever-Side Request Forgery

Published

2024-02-23

Title

SuperFaktura WooCommerce < 1.40.4 - Authenticated (Subscriber+) Blind Server-Side Request Forgery

Published

2023-05-15

Title

Essential Addons for Elementor Pro < 5.4.9 - Unauthenticated SSRF