During the testing of the JSM file_get_contents() Shortcode plugin, a significant SSRF (Server-Side Request Forgery) vulnerability was identified. This flaw allows exploitation through a shortcode, potentially leading to unauthorized access to internal resources.
Main info:
| CVE | CVE-2023-6991 |
| Plugin | JSM file_get_contents() Shortcode < 2.7.1 |
| Critical | High |
| All Time | 9 903 |
| Active installations | 400+ |
| Publicly Published | December 22, 2023 |
| Last Updated | December 22, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A1: Injection |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6991 https://wpscan.com/vulnerability/0b92becb-8a47-48fd-82e8-f7641cf5c9bc/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| October 5, 2023 | Plugin testing and vulnerability detection in the JSM file_get_contents() Shortcode have been completed |
| October 5, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 15, 2023 | The author fixed the vulnerability and released the plugin update |
| December 22, 2023 | Registered CVE-2023-6991 |
Discovery of the Vulnerability
In the process of testing the plugin, an SSRF vulnerability was found, which allows it to be exploited through a shortcodee
Understanding of SSRF attack’s
SSRF in WordPress involves an attacker manipulating a server’s behavior by making it perform unintended actions on internal resources. Real-world examples of SSRF vulnerabilities often include attackers forcing the server to access internal files, services, or APIs, bypassing security measures.
Exploiting the SSRF Vulnerability
The identified vulnerability can be exploited using a specially crafted shortcode. An example POC (Proof of Concept) shortcode is as follows:
POC shortcode:
[wpfgc url=”http://127.0.0.1:8084″]
___
By injecting this shortcode, an attacker can potentially force the server to make requests to the specified URL (in this case, http://127.0.0.1:8084), allowing them to interact with internal resources.
The potential risk associated with this SSRF vulnerability is substantial. Attackers could leverage it to make requests to internal services, potentially leading to unauthorized access, data exposure, or service disruption. In real-world scenarios, this vulnerability might be exploited to gather sensitive information or even pivot to additional attacks within the network.
Recommendations for Improved Security
- Input Validation: Implement strict input validation for shortcodes to prevent the injection of malicious content.
- URL Whitelisting: Maintain a whitelist of allowed URLs to restrict requests to trusted and necessary resources.
- Server Configuration: Adjust server configurations to minimize the impact of SSRF attacks. This may involve isolating internal resources or blocking certain outbound requests.
- Plugin Update: Regularly update the JSM file_get_contents() Shortcode plugin to include the latest security patches.
- Security Audits: Conduct periodic security audits to identify and address potential vulnerabilities within the WordPress environment.
By following these recommendations, WordPress site administrators can significantly reduce the risk of SSRF attacks and enhance the overall security posture of their websites.
#WordPressSecurity #SSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
