The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
Authenticated attackers with Contributor-level access can exploit a Server-Side Request Forgery (SSRF) vulnerability in the WP Import – Ultimate CSV XML Importer plugin. This allows attackers to make the server send HTTP requests to internal endpoints, potentially leading to the exposure of sensitive data and compromise of the WordPress installation.
Step 1: Authenticated Access: The attacker logs into the WordPress site with Contributor-level or higher privileges.
Step 2: Payload Preparation: The attacker crafts a malicious Bitly shortlink that redirects to an internal or private IP address (e.g., 127.0.0.1, 192.168.1.1, or 169.254.169.254).
Step 3: Plugin Exploitation: The attacker uses the WP Import plugin's functionality to import data from a URL. They provide the crafted Bitly shortlink as the source URL.
Step 4: Redirect and Bypass: The plugin's upload_function() validates the initial Bitly URL, but then the unshorten_bitly_url() function follows the redirect. The final destination URL (internal IP) is not re-validated.
Step 5: SSRF Execution: The plugin makes an HTTP request to the internal IP address specified by the attacker's Bitly link. This request is performed from the server's perspective.
Step 6: Data Exfiltration/Attack: The attacker can use this to access internal services, potentially retrieving sensitive data, such as cloud metadata, or interacting with internal APIs. This could lead to further exploitation, such as gaining access to other internal systems.
The vulnerability stems from insufficient URL validation within the upload_function() method of the WP Import plugin. Specifically, the plugin uses wp_http_validate_url() for initial URL validation. However, when a Bitly shortlink is encountered, the unshorten_bitly_url() function follows redirects without re-validating the final destination URL. This bypasses the initial validation, allowing an attacker to provide a Bitly link that redirects to an internal or private IP address. The lack of proper validation after the redirect allows the attacker to craft requests to internal services, such as cloud metadata services (e.g., 169.254.169.254), or internal network resources. The root cause is a logic flaw where the plugin trusts the resolved URL after a Bitly redirect without re-validating it, creating an SSRF vector.