CVE-2023-3958 - Exploiting SSRF in WP Remote Users Sync for WordPress

Summary
CVE-2023-3958 is a critical security vulnerability found in the popular “WP Remote Users Sync” plugin for WordPress. Versions up to and including 1.2.12 are affected. The bug is a Server Side Request Forgery (SSRF) issue enabled via an insecure AJAX endpoint called notify_ping_remote. Attackers with just subscriber-level access can abuse this to send harmful requests on behalf of the web server, risking sensitive internal data and putting your WordPress site at risk.

Let’s break down exactly what this means, how the exploit works, and how you can protect yourself.

What is WP Remote Users Sync?

WP Remote Users Sync is a WordPress plugin that lets multiple WordPress sites share user accounts. Useful if you have several sites and want to keep user accounts in sync.

The Vulnerability: SSRF via AJAX

Server Side Request Forgery (SSRF) lets an attacker trick your server into sending HTTP or other requests to *any* internal or external address, often revealing sensitive information or performing actions that only the server should be able to. In this case, WP Remote Users Sync exposes an AJAX action called notify_ping_remote that is not properly secured.

Why is it bad?

If you’re logged in as even the lowest-level user "subscriber," you can send arbitrary requests anywhere from your WordPress server—not just to the outside world, but to internal services (think: localhost, 127...1, or private network addresses like 192.168.X.X).

In the worst cases, this might let an attacker

- Read data from local/internal services (databases, admin panels, PHP consoles)

How the Exploit Works

Step 1:
Attacker logs in as a subscriber (they only need the lowest permission user).

Step 2:
Attacker crafts a POST request to the AJAX endpoint /wp-admin/admin-ajax.php with the action notify_ping_remote and a remote_url parameter set to their desired target.

Step 3:
The vulnerable plugin takes the supplied URL and blindly pings it from your server.

Here is a simple proof-of-concept using curl in terminal

curl -X POST https://yourwordpress.com/wp-admin/admin-ajax.php \
  -d 'action=notify_ping_remote' \
  -d 'remote_url=http://127...1:808/admin'; \
  -d 'security=YOUR_NONCE_HERE' \
  -b 'wordpress_logged_in_COOKIE_HERE'

Replace:
- YOUR_NONCE_HERE with a valid security nonce (can be taken from a legitimate form/request while logged in)

wordpress_logged_in_COOKIE_HERE with your actual WordPress session cookie

Result:
If unpatched, your server will make a request to http://127...1:808/admin—even if this is a private or internal-only endpoint.

Real-World Impact

On many web servers, internal admin panels, stats portals, cloud metadata APIs, or other sensitive services are bound only to local network addresses. Most attackers can't reach these, but SSRF lets them use *your* server as a middleman to poke around.

Reading AWS EC2 metadata from internal IP:

http://169.254.169.254/latest/meta-data/
- Accessing local phpMyAdmin/login pages
http://127...1/phpmyadmin/

Responsible Disclosure & Patch Timeline

- Discovered: Wordfence Report

Fully patched: in version 1.2.13 (blocks these requests)

> If you use WP Remote Users Sync, upgrade to 1.2.13 or later right now.

Make sure your plugin is at least version 1.2.13. Older versions are not safe.

Audit User Accounts:

Remove or demote any suspicious subscriber accounts, especially if you don’t know where they came from.

Check for Abuse:

Look in your website logs for suspicious admin-ajax.php requests, especially those using notify_ping_remote and odd URLs.

Conclusion

SSRF bugs like this are especially risky because attackers only need low-level access and have wide flexibility in what they can target. WP Remote Users Sync's notify_ping_remote function gives a practical case of "your server is not just your own"—it can be turned against you.

Resources & References

- Official WordPress Plugin Page
- Wordfence Vulnerability Report
- NIST NVD Record: CVE-2023-3958

Bottom line:
If you use WP Remote Users Sync, check your version, update NOW, and watch for similar risks in other plugins. All it takes is one low-permission account and a little know-how for your server to become a gateway.


*Stay secure! If you want more details or PoCs on this kind of WordPress vulns, let us know in the comments below.*

Timeline

Published on: 08/16/2023 05:15:00 UTC
Last modified on: 08/22/2023 18:03:00 UTC