Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)

2021-02-27T00:00:00
ID WPVDB-ID:24784C84-3EFD-4166-81C1-E5A266562CFC
Type wpvulndb
Reporter wpvulndb
Modified 2021-03-04T06:00:43

Description

The includes/mc-get_lists.php file used the 'apiKey' POST parameter to create an https URL from it without sanitisation and called it with cURL, leading to a SSRF issue. The issue is exploitable via direct access to the affected file, and ucmm_mc_api AJAX call (available to both authenticated and unauthenticated users).

PoC

Via the ucmm_mc_api AJAX action, accessible to both authenticated and unauthenticated users: Via direct access: