Server Side Request Forgery in WP Remote Users Sync Plugin for WordPress
CVE-2023-3958

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Remote Users Sync
Vendor: CVE Published:; 16 August 2023

Summary

The WP Remote Users Sync plugin for WordPress allows authenticated attackers with subscriber-level permissions or higher to perform Server Side Request Forgery (SSRF) attacks via the 'notify_ping_remote' AJAX function. This vulnerability enables the attackers to send web requests to arbitrary locations from the web application, potentially exposing sensitive information and leading to unauthorized actions on internal services. This issue has been partially addressed in version 1.2.12 and fully resolved in version 1.2.13.

Affected Version(s)

WP Remote Users Sync * <= 1.2.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-remote-user...

https://plugins.trac.wordpress.org/changeset/2946667/wp-r...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 16, 2023
Vulnerability Reserved
Jul 26, 2023

Credit

Lana Codes