Support » Plugin: UpdraftPlus WordPress Backup Plugin » SSRF vulnerability (Server-Side Request Forgery)

  • Resolved dydydy

    (@dydydy)


    Hi,
    Reading the code of your plugin, I think you have a SSRF vulnerability.
    SSRF vulnerability has been found in the file /UpdraftPlus/admin.php parameter uri.
    The poc is:
    wordpress/wp-admin/admin-ajax.php?action=updraft_ajax&subaction=httpget&curl=1&uri=http://ip:port&nonce=xxxxx

    I still looking for more security issues in the application. If I find more I will contact you.I hope this helps you in improving the security of you application and look forward to new versions of the application being released.
    If you approve this vulnerability,please add author information to release changelog or readme, i will appreciate it.

    dydydy # ADLab of Venustech

    • This topic was modified 1 month, 1 week ago by  dydydy.
Viewing 1 replies (of 1 total)
  • Plugin Author David Anderson

    (@davidanderson)

    No, it’s intended that the user can provide an arbitrary URL there. The nonce and permissions check ensure that only a logged-in WP admin can use it. And of course, a logged-in WP admin can install any plugin that can do anything. So, there’s no issue here.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.