CVE-2023-5974 Scanner

WPB Show Core is a WordPress plugin designed to enable users and administrators to display dynamic content, including media and files, within their websites. Commonly utilized by bloggers, businesses, digital publishers, and content creators, the plugin facilitates convenient embedding and organization of downloadable and interactive content. Its features include custom file browsing, dynamic content rendering, and streamlined integration within the WordPress environment. WPB Show Core simplifies content management, enhances user engagement, and supports versatile media-rich website experiences. It is popular among websites seeking user-friendly solutions for managing multimedia content. This plugin is particularly valuable due to its intuitive interface, making it accessible even to users without technical backgrounds.

The Server-Side Request Forgery (SSRF) vulnerability in WPB Show Core occurs due to insufficient validation of the user-provided input to the 'download-manager' component. The issue specifically involves improper handling of URLs submitted via the plugin’s 'download-manager' feature, allowing attackers to manipulate the server into sending unauthorized requests. Exploiting this flaw, attackers can cause the vulnerable WordPress server to initiate unintended connections to external or internal resources. Malicious actors utilize this vulnerability by crafting URLs pointing to internal network services or external malicious servers. The flaw does not require user authentication, making exploitation relatively straightforward and particularly dangerous. Plugin versions up to and including 2.2 are vulnerable.

The vulnerability specifically affects the endpoint located at '/wp-content/plugins/wpb-show-core/download-manager.php', where the 'url' parameter lacks proper sanitization. An attacker can send specially crafted GET requests to this endpoint, injecting arbitrary URLs that the vulnerable server will attempt to access. The absence of sufficient input validation allows attackers to force the server into initiating arbitrary HTTP requests. Such requests can probe internal network services or external systems, potentially accessing sensitive internal resources. Attackers typically target internal services not reachable directly from the internet to gather sensitive information or conduct further attacks. The vulnerability originates from improper handling of external resource references without appropriate validation or restrictions.

Exploiting this SSRF vulnerability can enable attackers to scan internal networks, interact with sensitive internal resources, and obtain privileged information from otherwise unreachable internal services. Attackers might leverage this flaw to gather internal system details, escalate privileges, or discover vulnerabilities in connected services. Sensitive information such as internal IP addresses, credentials, or application-specific data could be disclosed, facilitating further targeted attacks. Additionally, attackers may leverage this flaw to execute complex chained attacks involving other services within the organization's network. Ultimately, this vulnerability poses a significant security risk by potentially compromising internal systems and exposing confidential data.

REFERENCES

• https://wpscan.com/vulnerability/c0136057-f420-4fe7-a147-ecbec7e7a9b5
• https://nvd.nist.gov/vuln/detail/CVE-2023-5974