CVE-2023-3958: WP Remote Users Sync Plugin for WordPress Vulnerable to SSRF in Versions up to 1.2.12

The WP Remote Users Sync plugin for WordPress is a popular tool which helps in synchronizing the user details between multiple WordPress installs. However, a severe vulnerability has been discovered in this plugin related to Server Side Request Forgery (SSRF) which leaves the plugin prone to attacks. In this article, we will discuss the details of this vulnerability (CVE-2023-3958), the affected versions, and the possible exploits an attacker can perform using this vulnerability. We will also provide the code snippet that demonstrates the vulnerability and the links to the original references.

Vulnerability Details

The WP Remote Users Sync plugin for WordPress is vulnerable to SSRF via the 'notify_ping_remote' AJAX function in versions up to and including 1.2.12. This vulnerability can be exploited by authenticated attackers with subscriber-level permissions or above, enabling them to make web requests to arbitrary locations that originate from the web application. By exploiting this vulnerability, an attacker can query and modify information from internal services. Although this vulnerability was partially patched in version 1.2.12, it was fully patched in version 1.2.13.

Exploit

Using the SSRF vulnerability, the attacker can craft malicious requests which allow them to access internal services behind a firewall or gain access to sensitive information. This exploit is dangerous as it allows the attacker to use the web application on behalf of the user and perform unauthorized actions.

The following code snippet demonstrates the vulnerability in the 'notify_ping_remote' AJAX function

function notify_ping_remote() {
    check_ajax_referer('nonce_ping_remote', 'nonce');
    
    // Vulnerable code
    $url = esc_url_raw($_POST['notify_ping_remote_url']);
    wp_remote_get($url);

    wp_die();
}

In the above code, the provided $url parameter is not correctly sanitized, which allows the attacker to send arbitrary web requests using the wp_remote_get() function.

To learn more about this vulnerability, you can refer to the following links

1. CVE-2023-3958 - Official link to the vulnerability in the CVE database.
2. WP Remote Users Sync Plugin Page - WordPress plugin page, including details on the latest version and the changelog.
3. WPScan Vulnerability Database - WPScan's entry for this vulnerability, including affected versions and exploit details.

Conclusion

It is crucial for users of the WP Remote Users Sync plugin to update to the latest version (1.2.13) to fully protect their WordPress sites from this SSRF vulnerability (CVE-2023-3958). Staying up-to-date with the latest security patches and following best practices for securing your WordPress site can help reduce the risk of exploits and protect your data.

Timeline

Published on: 08/16/2023 05:15:00 UTC
Last modified on: 08/22/2023 18:03:00 UTC