Source: security@wordfence.com
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
Authenticated attackers with Contributor-level access can exploit a Server-Side Request Forgery (SSRF) vulnerability in the WP Import – Ultimate CSV XML Importer plugin. This allows attackers to make the server send HTTP requests to internal endpoints, potentially leading to the exposure of sensitive data and compromise of the WordPress installation.
Step 1: Authenticated Access: The attacker logs into the WordPress site with Contributor-level or higher privileges.
Step 2: Payload Preparation: The attacker crafts a malicious Bitly shortlink that redirects to an internal or private IP address (e.g., 127.0.0.1, 192.168.1.1, or 169.254.169.254).
Step 3: Plugin Exploitation: The attacker uses the WP Import plugin's functionality to import data from a URL. They provide the crafted Bitly shortlink as the source URL.
Step 4: Redirect and Bypass: The plugin's upload_function() validates the initial Bitly URL, but then the unshorten_bitly_url() function follows the redirect. The final destination URL (internal IP) is not re-validated.
Step 5: SSRF Execution: The plugin makes an HTTP request to the internal IP address specified by the attacker's Bitly link. This request is performed from the server's perspective.
Step 6: Data Exfiltration/Attack: The attacker can use this to access internal services, potentially retrieving sensitive data, such as cloud metadata, or interacting with internal APIs. This could lead to further exploitation, such as gaining access to other internal systems.
The vulnerability stems from insufficient URL validation within the upload_function() method of the WP Import plugin. Specifically, the plugin uses wp_http_validate_url() for initial URL validation. However, when a Bitly shortlink is encountered, the unshorten_bitly_url() function follows redirects without re-validating the final destination URL. This bypasses the initial validation, allowing an attacker to provide a Bitly link that redirects to an internal or private IP address. The lack of proper validation after the redirect allows the attacker to craft requests to internal services, such as cloud metadata services (e.g., 169.254.169.254), or internal network resources. The root cause is a logic flaw where the plugin trusts the resolved URL after a Bitly redirect without re-validating it, creating an SSRF vector.
While no specific APTs are directly linked to this vulnerability at this time, the nature of SSRF makes it attractive to various threat actors. The ability to access internal resources makes it a valuable tool for reconnaissance and lateral movement. CISA KEV status: Not applicable (as of the provided date).
Monitor web server logs for unusual HTTP requests originating from the WordPress server to internal IP addresses or private IP ranges.
Analyze network traffic for HTTP requests with unusual User-Agent strings or headers that might indicate SSRF attempts.
Implement a Web Application Firewall (WAF) with rules to detect and block requests to internal IP addresses and cloud metadata service endpoints.
Review plugin logs for suspicious activity, such as errors related to URL resolution or import failures.
Use an Intrusion Detection System (IDS) to monitor for known SSRF patterns and signatures.
Update the WP Import – Ultimate CSV XML Importer plugin to version 7.36 or later.
Implement input validation to ensure that the final resolved URL after any redirects is also validated against a whitelist of allowed domains and protocols. Specifically, re-validate the URL after the unshorten_bitly_url() function.
Restrict the plugin's access to internal network resources by configuring firewall rules to prevent outbound connections to internal IP ranges.
Review and harden the WordPress server configuration, including disabling unnecessary services and restricting access to sensitive files and directories.
Regularly audit the plugin's code for security vulnerabilities and ensure that all dependencies are up-to-date.