External Media without Import <= 1.1.2 - Subscriber+ Blind SSRF

Vulnerability

The External Media without Import WordPress plugin through version 1.1.2 lacks authorization checks and does not verify that media URLs are external. This allows any authenticated user, including subscribers, to add a URL pointing to internal network resources. The plugin then attempts to fetch the resource, enabling blind Server-Side Request Forgery (SSRF) [1].

Exploitation

An attacker with a valid account (e.g., subscriber) can craft a request to add a media item with a URL targeting internal services (e.g., 127.0.0.1:8080). The plugin will make an HTTP request to that URL, and the attacker can infer information from the response behavior (e.g., timing, errors) to probe internal networks [1].

Impact

The attack allows blind SSRF, enabling the attacker to map internal infrastructure, identify running services, and potentially access sensitive endpoints that are not intended to be exposed externally. However, the blind nature means the attacker does not directly see the response content, but can deduce information through side channels [1].

Mitigation

As of the publication date (2022-05-16), there is no known fix or updated version available. The plugin through 1.1.2 remains vulnerable. Users should consider removing or replacing the plugin if possible [1].