CVE-2022-3708: Web Stories Plugin for WordPress Server-Side Request Forgery Vulnerability in Versions Up to 1.24.

The Web Stories plugin for WordPress, which is widely used to create visually engaging and interactive content, has recently been found to have a significant vulnerability. This vulnerability, known as CVE-2022-3708, affects the plugin versions up to and including 1.24.. Attackers can exploit this vulnerability to make unauthorized web requests originating from the application server, potentially allowing them access to internal services and sensitive information.

In this post, we'll examine the details of this vulnerability, the affected REST API Endpoint, and how to mitigate the risk. We will also provide a code snippet demonstrating the issue and links to the original references.

Vulnerability Details

The CVE-2022-3708 vulnerability exists in the Web Stories plugin for WordPress due to insufficient validation of URLs supplied via the 'url' parameter. This parameter is found in the /v1/hotlink/proxy REST API Endpoint. When an authenticated user provides a URL that isn't properly validated, the web application can make requests to arbitrary locations. This Server-Side Request Forgery (SSRF) vulnerability exposes the internal services of the application and allows for unauthorized access to sensitive information.

Affected REST API Endpoint

The vulnerable API endpoint is /v1/hotlink/proxy. This endpoint takes the 'url' parameter, which is used to specify the resource URL.

Code Snippet

Below is a simple code snippet illustrating the issue in the proxy method of the vulnerable REST API Endpoint:

function grab_url($url) {
  // Insufficient validation of the provided URL here
  $response = wp_remote_get($url);
  return $response;
}

function proxy_handler($request) {
  $url = $request->get_param('url');
  $response = grab_url($url);
  // Proxy the request and return the response
  return $response;
}

add_action('rest_api_init', function () {
  register_rest_route('v1', '/hotlink/proxy', array(
    'methods' => 'GET',
    'callback' => 'proxy_handler',
  ));
});

In the grab_url function, there is insufficient validation of the supplied URL, which can lead to SSRF attacks when exploited.

Exploit Details

An attacker who is authenticated can make web requests to arbitrary internal locations from the web application. This can be achieved by sending a GET request to the affected API endpoint:

GET /wp-json/v1/hotlink/proxy?url=http://internal.service.local/ HTTP/1.1
Host: vulnerable-server.com
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64; rv:97.) Gecko/20100101 Firefox/97.
Accept: application/json, */*; q=.01
Referer: http://vulnerable-server.com/wp-admin/

By providing an arbitrary URL, the attacker can potentially query and modify information within internal services.

Mitigation

To mitigate the CVE-2022-3708 vulnerability, users should upgrade their Web Stories plugin for WordPress to version 1.25. or later. This version includes a patch that properly validates the URLs provided via the 'url' parameter.

For more information on this vulnerability, consult the original references provided below

1. Web Stories plugin for WordPress: https://wordpress.org/plugins/web-stories/
2. CVE-2022-3708: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3708

Conclusion

The CVE-2022-3708 vulnerability in the Web Stories plugin for WordPress poses a significant risk to users running versions up to 1.24.. If exploited, this SSRF vulnerability can grant unauthorized access to sensitive information and disrupt internal services. To protect your WordPress site, it's crucial to update your Web Stories plugin to the latest version and stay informed about new security threats.

Timeline

Published on: 10/28/2022 19:15:00 UTC
Last modified on: 11/03/2022 14:28:00 UTC