During the testing of the JSM file_get_contents() Shortcode plugin, a significant SSRF (Server-Side Request Forgery) vulnerability was identified. This flaw allows exploitation through a shortcode, potentially leading to unauthorized access to internal resources.

Main info:

CVECVE-2023-6991
PluginJSM file_get_contents() Shortcode < 2.7.1
CriticalHigh
All Time9 903
Active installations400+
Publicly PublishedDecember 22, 2023
Last UpdatedDecember 22, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A1: Injection
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6991
https://wpscan.com/vulnerability/0b92becb-8a47-48fd-82e8-f7641cf5c9bc/
Plugin Security Certification by CleanTalk

Timeline

October 5, 2023Plugin testing and vulnerability detection in the JSM file_get_contents() Shortcode have been completed
October 5, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
December 15, 2023The author fixed the vulnerability and released the plugin update
December 22, 2023Registered CVE-2023-6991

Discovery of the Vulnerability

In the process of testing the plugin, an SSRF vulnerability was found, which allows it to be exploited through a shortcodee

Understanding of SSRF attack’s

SSRF in WordPress involves an attacker manipulating a server’s behavior by making it perform unintended actions on internal resources. Real-world examples of SSRF vulnerabilities often include attackers forcing the server to access internal files, services, or APIs, bypassing security measures.

Exploiting the SSRF Vulnerability

The identified vulnerability can be exploited using a specially crafted shortcode. An example POC (Proof of Concept) shortcode is as follows:

POC shortcode:

[wpfgc url=”http://127.0.0.1:8084″]

___

By injecting this shortcode, an attacker can potentially force the server to make requests to the specified URL (in this case, http://127.0.0.1:8084), allowing them to interact with internal resources.

The potential risk associated with this SSRF vulnerability is substantial. Attackers could leverage it to make requests to internal services, potentially leading to unauthorized access, data exposure, or service disruption. In real-world scenarios, this vulnerability might be exploited to gather sensitive information or even pivot to additional attacks within the network.

Recommendations for Improved Security

  • Input Validation: Implement strict input validation for shortcodes to prevent the injection of malicious content.
  • URL Whitelisting: Maintain a whitelist of allowed URLs to restrict requests to trusted and necessary resources.
  • Server Configuration: Adjust server configurations to minimize the impact of SSRF attacks. This may involve isolating internal resources or blocking certain outbound requests.
  • Plugin Update: Regularly update the JSM file_get_contents() Shortcode plugin to include the latest security patches.
  • Security Audits: Conduct periodic security audits to identify and address potential vulnerabilities within the WordPress environment.

By following these recommendations, WordPress site administrators can significantly reduce the risk of SSRF attacks and enhance the overall security posture of their websites.

#WordPressSecurity #SSRF #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2023-6991 – JSM file_get_contents() Shortcode – SSRF- POC

Leave a Reply

Your email address will not be published. Required fields are marked *