Starter Templates by FancyWP <= 2.0.0 - Unauthenticated Blind Server-Side Request Forgery

An unauthenticated attacker can trigger a blind Server-Side Request Forgery (SSRF) by exploiting the `http_request_host_is_external` filter in the plugin's export functionality. The attacker sends a crafted request to the WordPress site that causes the plugin to make HTTP requests to arbitrary internal or external hosts. This can be used to probe internal services, read sensitive metadata, or modify data on internal systems that are reachable from the web server. No authentication is required, and the attack is performed over the network.

The vulnerability resides in the `class-export.php` file of the Starter Templates by FancyWP plugin, specifically in the `export_wp` method and its use of the `http_request_host_is_external` filter. The plugin does not properly validate or restrict the destinations of outbound HTTP requests made during the export process, allowing arbitrary server-side requests.

The advisory indicates the vulnerability is present in all versions up to and including 2.0.0, but the bundle does not include a patch diff. The recommended remediation is to implement proper validation of hostnames passed to the `http_request_host_is_external` filter, ensuring that only allowed, safe destinations are reachable. Without a published patch, users should update to a patched version once released or apply a Web Application Firewall (WAF) rule to block SSRF attempts.