OneStore Sites <= 0.1.1 - Unauthenticated Blind Server-Side Request Forgery

An unauthenticated attacker triggers the SSRF by sending a crafted HTTP request to the WordPress site with the `from_onestore=placeholder` parameter, which invokes the `export_wp()` method in `class-export.php` [ref_id=1]. The export process fetches external resources (e.g., attachment URLs, image URLs inside post content) from attacker-controlled or internal addresses. This allows the attacker to make web requests originating from the web application's server, potentially querying or modifying information from internal services that are not directly accessible from the internet.

The vulnerability resides in the `class-export.php` file of the OneStore Sites plugin (versions ≤ 0.1.1). The `export_wp()` method and its helper `get_export_file_name()` are reachable via the `from_onestore` GET parameter without any authentication checks, and the export routine makes outbound requests to arbitrary URLs derived from post content and attachment URLs, enabling Server-Side Request Forgery (SSRF).

The advisory does not provide a specific patch diff. To remediate the SSRF vulnerability, the plugin should add authentication and authorization checks before allowing the export functionality to be invoked, and restrict the URLs that can be fetched to a whitelist of trusted domains, preventing requests to internal or private IP ranges. Without a published fix, users should disable or remove the plugin until an update is available.