WordPress Plugin Vulnerabilities

Import WP < 2.13.1 - Admin+ Server-side Request Forgery

Description

The plugin does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.

Proof of Concept

Affects Plugins

Plugin icon
jc-importer
Fixed in 2.13.1

References

CVE
CVE-2023-7253

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Mr Empy
Submitter
Mr Empy
Submitter website
https://mrempy.github.io
Submitter twitter
mr_empy
Verified
Yes
WPVDB ID
aeefcc01-bbbf-4d86-9cfd-ea0f9a85e1a5

Timeline

Publicly Published
2024-04-03 (about 1 year ago)
Added
2024-04-03 (about 1 year ago)
Last Updated
2024-04-03 (about 1 year ago)

Other

Published
Title
Published
2025-02-28
Title
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss < 2.7.5 - Unauthenticated Limited Server-Side Request Forgery in nice_links
Published
2025-07-01
Title
Amazon Products to WooCommerce <= 1.2.7 - Unauthenticated Server-Side Request Forgery
Published
2024-10-15
Title
Edwiser Bridge < 3.0.8 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-09-25
Title
Snow Monkey < 29.1.6 - Unauthenticated Blind Server-Side Request Forgery
Published
2025-02-17
Title
ProfileGrid – User Profiles, Groups and Communities < 5.9.4.3 - Authenticated (Subscriber+) Limited Server-Side Request Forgery