RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF

Vulnerability

The RSVPMaker WordPress plugin versions before 8.7.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the import functionality. The rsvpmaker_export_screen function, located in rsvpmaker-admin.php at line 729, accepts a URL input via the importrsvp parameter and passes it directly to wp_remote_get() without validating that the URL points to a remote resource [1]. This allows an attacker to make the server issue HTTP requests to arbitrary destinations, including internal network addresses. The vulnerability is present in all versions prior to 8.7.3 [2].

Exploitation

To exploit this vulnerability, an attacker must have administrator-level access to the WordPress site. The attacker sends a crafted POST request to the endpoint /wp-json/rsvpmaker/v1/importnow with a nonce and a URL parameter pointing to an internal or external target [1]. The server then performs an HTTP request to that URL. The attacker can infer information about the target based on response times, error messages, or response content. No additional user interaction is required beyond the initial authentication [2].

Impact

Successful exploitation allows an attacker to perform SSRF attacks, enabling them to scan internal network hosts and services. This can lead to information disclosure about the internal network topology, open ports, and potentially access internal services that are not intended to be exposed. The attack does not directly result in remote code execution or data exfiltration, but it can be a stepping stone for further attacks [1][2].

Mitigation

The vulnerability is fixed in RSVPMaker version 8.7.3, released on June 2, 2021 [1][2]. Users should update to this version or later immediately. No workarounds are documented. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.