Orbit Fox < 2.10.24 - Author+ Server-Side Request Forgery

The plugin does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

PoC

1. Install the Log HTTP Requests plugin to inspect the requests being sent from the server-side. 2. Open a blog post in the block editor. 3. Click on the “MyStockPhotos” icon in the upper right to open the “MyStockPhotos” sidebar. 4. Hover over an image, click the button to “Add to Media Library”, and intercept the request. 5. Change the URL in the url POST parameter to an arbitrary URL. 6. Forward the request, and check the HTTP Requests log. See that the server has sent a request to the URL that was chosen.