This report is a variant on report #110801 but with broader vector.
This vulnerability uses same entry vector of the
press this scrape function but entirely bypasses the ip and port filter allowing the SSRF to any ip, port and appending basic-auth headers.
The ip:port bypass is made by forging a CSRF to
wp-admin/press-this.php?u=http://[HOST|IP] with a valid hostname/ip. The valid host will then reply with a crafted header targeting
location: http://[privateip]:[port] like 192.168.01, 127.0.01:11211 .. resulting in the final SSRF. The redirect can also include a basic-auth which the server adds as a Authorization header.
The PoC is very similar to #110801 but with a addition of a valid domain which replies with a redirection header and http code.
Victim has privileges to use press-this of example.com
This can be escalated by adding a basic auth scheme to the redirect url as
Listening to the SSRF on 192.168.0.1 would yield a incoming HTTP from the victims server carrying a basic-auth header crafted towards the internal endpoint.
GET / HTTP/1.1
Authorization: Basic YWRtaW46YWRtaW4=
User-Agent: Press This (WordPress/4.7-RC1);
Accept-Encoding: deflate, gzip